Mr Robot
Type: #TryHackMe
Links: https://tryhackme.com/room/mrrobot
This room will allow me to start completing the ‘Starter Series’ on TryHackMe; a series of beginner ctfs to assist with developing my penetration testing skills.
Starting the Machine within TryHackMe, I opted to use a flag -sV with my nmap script to enumerate versions of the services running on the target machine, the command resulted in the enumeration of port 22/ssh, port 80/httpd and port 443/ssl/http, nmap could not enumerate the versions.
The website reveals a command line game, but nothing to interesting, as good practise I view the source of pages within the webservers in case of hard-coded credentials, in this case, I opted to use gobuster to find directories within the webserver.
Most of these lead to a 403 error, but it did reveal the wp-login.php within the webserver, this can be further enumerated using a tool like wpscan. Viewing the page source indicates that the version is 4.3.1.
Visiting http://10.10.112.168/robots reveals “fsociety.dic” and “key-1-of-3.txt”
Navigating to http://10.10.112.168/key-1-of-3.txt reveals the first flag for the ctf and navigating to http://10.10.112.168/fsociety.dic starts a download, the file contains a number of names - possibly indicating a wordlist.
I decided to use Burpsuite’s intruder to attempt to brute force the wp-login, using the fsociety.dic wordlist.
Using the wordlist shows “Eliot” has a longer length than all other username attempts - this could indicate a successful username attempt, with an unsuccessful password.
Using this username alongside a password results in the server displaying that the password is incorrect for the username “Elliot”, meaning that the password is the only thing left to crack.
The options to crack the password are using Hydra or wpscan, I opted to use wpscan as in this scenario it would be easier. The main flags used were –url to specify host -U to indicate user and -P to specify the password list.
The password takes a while to crack - around 20 - 30 mins.
Navigating to plugins, I found that the plugins can be edited, starting a listener on my host machine using Netcat. I then navigated to php-reverse-shell by pentestmonkey and uploaded the script.
After this I visited http://10.10.112.168/wordpress/wp-content/themes/twentyfifteen/404.php and got a reverse shell
Using python -c ‘import pty; pty.spawn(“/bin/bash”)’ initialises a more stable shell, after using this I navigated to /home/robot and used found a password.raw-md5 file
As the hash is an MD5 it can be cracked fairly easily using crackstation.
Using “robot” as the user I used the su command to change the user.
After this I had the permissions to cat out key-2-of-3.txt, and to find key 3 I would need to escalate my privileges. My first attempt was to run sudo -l but “robot” does not have access to this. After this, I used the find command to see files that had SUID.
The hint given by TryHackMe involved nmap, and the find command revealed that this had SUID, meaning it could be the vector for privilege escalation, navigating to GTFOBins provides a walkthrough on gaining root using nmap.
Executing these commands provides root access, and the last key is found within the /root directory.
This CTF was slightly more difficult than the previous ctf, and more knowledge on privilege escalation is needed for future CTFs.