I enjoy doing CTFs and I think everyone should try them, they allow us to hone our skills while having a little fun at the same time. This walkthrough is for Try Hack Me’s Mr. Robot machine which can be found here.
Early disclaimer all information that could lead to a quick win has been redacted, enjoy!
Enumeration
In the enumeration stage our goal is to get information on the target with the goal of finding some sort of vulnerability. My first step is to use nmap to get a feel for what ports are open on the target machine.
nmap -sV ipaddr
The nmap scan shows use that port 80 and 443 are open, both are running Apache. Next we can navigate to each of these web pages to see what is being displayed at each port.
One thing we can do to discover other available directories on the webpage is through brute forcing possible directories using a wordlist. There are many tools like Dirb, DirBuster and gobuster that can do this, I will use Dirb.
dirb http://10.10.225.250 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
We need to search some of these directories to see if there is any information we can use.
Webpage Login
Fsocity.dic is a text file. This could possibly contain some critical information. The file is a list of possible passwords. This can be retrieved using wget or curl commands. Now that we have a possible password lets take a look at the login page. At the login page I tried some standard usernames and password like admin admin with no luck. I also tried some names from the Mr. Robot show.
When trying to login with a username that exists, the login page responds back with a different message than when trying to login with an invalid username. If we type a username that doesn’t exist it says invalid login but if we try to login with elliot the error states “The password you entered for the username elliot is incorrect.” With this information we can confirm the user elliot exist and we can attempt to brute force the password with the file we found. We can also use this method to confirm a user with the username admin exist, we can brute force this as well. The file is very large so there are probably duplicates in there. We can sort the file and keep only unique words by using the following command:
Now, using hydra we can attempt to brute force the login.
hydra -l Admin -P fsociety_sorted.txt 10.10.225.250 http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username” -t 30
Now this command requires some explanation. We are using -l to specify the username to attempt which is Admin, next we use -P to specify the password list to try and the IP address. The next section can be retrieved by opening the developer tools on the webpage (F12). We are using a http-post request to attempt to login to the wp-login.php page. Next we are substituting the username and password in the request for variables ^USER^ and ^PWD^. Finally, we put the error it can expect for a failed login. When hydra runs through the login attempts it is looking for a response that does not match this one. The -t 30 specifies the number of tasks it can run in parallel which allows it to go a little faster.
This works but after going back through some previous webpages I noticed that I had missed something earlier. At the bottom of /license directory we get a password:
At the bottom of the page we find an encoded password. It is base64 so we can decode it in our terminal:
echo “encoded password” | base64 -d
We can take the decoded password and attempt to login to the webpage:
Webpage login to shell
With access to the admin console we can check attempt to update or create a webpage that contains malicious code. To do this we will navigate to Appearance > Editor > 404.php
Here we can edit the code of the 404.php page. What we will do is include a reverse shell in the page so anytime it is accessed the server will attempt to create a session with our kali machine. The reverse shell code can be found here.
Now we will create a netcat listener on our Kali machine and access the 404 page on the webserver.
sudo nc -lvp 2846
The shell we have is not stable nor is it convenient, we can use python to obtain a fully interactive shell:
Privilege Escalation
From here we can do some manual enumeration. We can navigate to the home directory and see another user called robot. We are able to navigate to into the directory and view a file containing a hashed password:
To crack a hashed password we will use hashcat. I tried using the password list we used before, fsocity_sorted.txt but I had no luck. Before giving up I wanted to try another common password list so I tried rockyou.txt and it seems to have worked.
hashcat -m 0 — force test.txt /usr/share/wordlists/rockyou.txt
That hash can be put into a hash analyzer site to attempt to determine what type of hash it is. If you do this it should say it is MD5. We can use the -m 0 option to tell hashcat that it is a MD5 hash, we can also use the — force option to hide warnings and errors. This is successful. We can now use the su command to switch to the robot user.
su robot
Robot to Root
From here we need to get root, there are a couple of things I check to try and get an easy privilege escalation, first is sudo -l which will list all if any sudo permissions that this account has. It was unsuccessful. Next check for file permissions. We can do that using the find command:
find / -perm /4000 -print 2>devnull
Here we can see that Robot has access to use nmap. If nmap is an older version we can use the — interactive option to allow us to create a shell. This works. Using the GTFObins website we can see that within this shell, using !sh will give us root access.
Conclusion
Thanks for joining me on this journey I had a blast and I learned something new! This box has an awesome theme of a great show and contains some interesting challenges. I hope you share my sentiments, Happy hacking!