tryhackme-writeups

Writeups for the ROOMS available at TryHackMe.com

View on GitHub

Mr. Robot CTF

Scan the Machine

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Nmap Scan

Looks like we have two ports open: 80, 443

Let’s check the webpage. The webpage is fascinating but nothing much to work with.

Run a GoBuster -> gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -t 50

It will take few minutes to finish and you will get a lot of directories. The important ones are:

ROBOTS.TXT

Robot.txt

Total Words

LICENSE

Sorry! for wasting your time there.

LOGIN

It seems a redirection to wp-login.php.

Login Page

Putting pieces together:

Vola! We can bruteforce. Dictionary is a key/value pair, so it can have username and password both. Fireup your BurpSuite

We can bruteforce username and password together but the total combination will be to much. So first we will try username and then password.

  1. Intercept the reqeust.
  2. Send it to Intruder.
  3. Add only username.

BurpSuite

  1. Select fsocity.dic as a payload and start the attack.

Username

BAAM! Username found. It’s Elliot (obviously).

Now that we have username, we can run the same attack for password. HEADSUP! I did that and it took like forever. Therefore, I recommend you guys to use Hydra -> hydra -l Elliot -P fsocity.dic 10.10.51.99 http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^: The password you entered"

You can get the log= part from the BurpSuite when you intercepted the request.

The reason is, it will take too much time as the password is at line 858,151. Password is ER28-0652 (this is Elliot’s Employee Number)

Grep Pass

Log in with Elliot:ER28-0652.

Login

We have the access to the PANEL. Search around and look for something interesting.

After spending a bit of time around. I found an injection point as Image Upload. I tried different things but it was hard-coded. Later, I found the page edit option Appearance > Editor; which has .php file.

So can we can add reverse-shell.php in any of the pages. I will be using 404.php but you can also use any other .php.

404 Page

Paste the reverse-shell code and change the IP to your IP and the PORT.

Change Port

Before opening the page, start a netcat listener using cmd nc -lvnp 4444

Listener

Save the webpage and go to http://<IP>/404.php. You will see a connection. First things First, we will stable the shell using python -c 'import pty;pty.spwan("/bin/bash")'

Shell Stable

There is flag in /home/robot but we do not have permission to read it.

Cannot Read files

But we do have permission to read password.raw-md5 file.

Content

Looks like user robot and its password hashed as Raw-MD5. We can crack this using Crack Station or JohnTheRipper -> john hash.txt --wordlist=fsocity.dic --format=Raw-MD5.

Crack Station

I used Crack Station. Credential -> robot:abcdefghijklmnopqrstuvwxyz

We can login as robot using su command.

Robot User

Now that we have access as robot, we can read key-2-of-3.txt.

Key 2

Privilege Escalation

Didn’t found anything interesting using sudo -l, so I tried looking for SUIDs using find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; | grep '/bin'

Reference -> PayloadsAllTheThings

SUID

Nmap is available, wonder if Hint was for this one. Go to GTFOBins and search for Nmap. I ran (b) script of Shell section.

SUID Nmap

You know what to do next :stuck_out_tongue_winking_eye:

Key 3