image

Type: #TryHackMe
Links: https://tryhackme.com/room/mrrobot

This room will allow me to start completing the ‘Starter Series’ on TryHackMe; a series of beginner ctfs to assist with developing my penetration testing skills.

Starting the Machine within TryHackMe, I opted to use a flag -sV with my nmap script to enumerate versions of the services running on the target machine, the command resulted in the enumeration of port 22/ssh, port 80/httpd and port 443/ssl/http, nmap could not enumerate the versions.

image

The website reveals a command line game, but nothing to interesting, as good practise I view the source of pages within the webservers in case of hard-coded credentials, in this case, I opted to use gobuster to find directories within the webserver.

image

Most of these lead to a 403 error, but it did reveal the wp-login.php within the webserver, this can be further enumerated using a tool like wpscan. Viewing the page source indicates that the version is 4.3.1.

Visiting http://10.10.112.168/robots reveals “fsociety.dic” and “key-1-of-3.txt”

image

Navigating to http://10.10.112.168/key-1-of-3.txt reveals the first flag for the ctf and navigating to http://10.10.112.168/fsociety.dic starts a download, the file contains a number of names - possibly indicating a wordlist.

I decided to use Burpsuite’s intruder to attempt to brute force the wp-login, using the fsociety.dic wordlist.

image

image

Using the wordlist shows “Eliot” has a longer length than all other username attempts - this could indicate a successful username attempt, with an unsuccessful password.

image

Using this username alongside a password results in the server displaying that the password is incorrect for the username “Elliot”, meaning that the password is the only thing left to crack.

image

The options to crack the password are using Hydra or wpscan, I opted to use wpscan as in this scenario it would be easier. The main flags used were –url to specify host -U to indicate user and -P to specify the password list.

image

The password takes a while to crack - around 20 - 30 mins.

image

Navigating to plugins, I found that the plugins can be edited, starting a listener on my host machine using Netcat. I then navigated to php-reverse-shell by pentestmonkey and uploaded the script.

image

image

After this I visited http://10.10.112.168/wordpress/wp-content/themes/twentyfifteen/404.php and got a reverse shell

image

Using python -c ‘import pty; pty.spawn(“/bin/bash”)’ initialises a more stable shell, after using this I navigated to /home/robot and used found a password.raw-md5 file

image

As the hash is an MD5 it can be cracked fairly easily using crackstation.

image

Using “robot” as the user I used the su command to change the user.

image

After this I had the permissions to cat out key-2-of-3.txt, and to find key 3 I would need to escalate my privileges. My first attempt was to run sudo -l but “robot” does not have access to this. After this, I used the find command to see files that had SUID.

image

The hint given by TryHackMe involved nmap, and the find command revealed that this had SUID, meaning it could be the vector for privilege escalation, navigating to GTFOBins provides a walkthrough on gaining root using nmap.

image

image

Executing these commands provides root access, and the last key is found within the /root directory.

This CTF was slightly more difficult than the previous ctf, and more knowledge on privilege escalation is needed for future CTFs.

<
Previous Post
Pickle Rick
>
Next Post
tomghost