Skip to main content

Mr Robot CTF Writeup TryHackMe | VulnHub

 Overview

<mr. robot> Hello friend. If you've come, you've come for a reason. You may not be able to explain it yet, but there's a part of you that's exhausted with this world... a world that decides where you work, who you see, and how you empty and fill your depressing bank account. Even the Internet connection you're using to read this is costing you, slowly chipping away at your existence. There are things you want to say. Soon I will give you a voice. Today your education begins.

This machine have WordPress website. After finding available directories in this website, login into admin panel of that wp-website using dictionary attack. Wordlist is available in robots.txt, also first flag is there. Since the wordpress in written in php, so use php reverse shell to enter into target machine. There is a robot user and password in raw-md5 hash form. Crack the hash and be robot, where second flag is found. Now using privilege escalation be the root. nmap with SUID bit on can be used for that purpose. Three flags are there to find.

Setup Environment

Here I explain two ways of accessing the Mr Robot target machine.
  1. Using VulnHub - download MrRobot machine in your machine, install it on virtualization platform like virtualbox, configure network there and start attacking it. Link is Here
  1. You can access this machine through TryHackMe as well. Download vpn configuration file in your machine and use openvpn as:

then, start the machine


Alternatively, You can use Attackbox provided by THM.

Here VPN is connected, because for attacking our machine and target machine must have to be in same network.

If everything is done, now we are ready to start the scan on target machine.

Scanning

One thing, first we have to note here is the IP address of target machine. In THM it is shows there but case of virtualbox, you have to find using tools like arp-scan or nmap.
In my case I have used TryHackMe's machine. Do not focus on my target IP, due to my internet problem I restart the machine so different IPs are shown in figure.
Initially I have the target IP: 10.10.173.33

As you know, our first step in such CTF is scanning the network. I do the same here, using nmap
$ sudo nmap -sC -sV -O 10.10.173.33 -oN nmap-scan
where,
-sC: equivalent to --script=default, ie. running without script
-sV: To determine the service/version information of open ports
-O: that enables OS detection
-oN: for output of scan in normal form, stored in nmap-scan


It shows three ports but all are closed. Obviously this is not what we expected. Again I run nmap scan with different command 
$ nmap -A 10.10.173.33 -oN nmap-scan-new
here,
-A: It enable OS detection, version detection, script scanning, and traceroute
-oN: for output store


It shows port 80 and 443 are open, so lets visit the website...


Nothing special is found there but the website itself is special. We don't know the sitemap of this website, there may be special directories so we have to find that. Here I use gobuster. 
$ gobuster dir -u http://10.10.173.33 -w /usr/share/wordlists/dirb/common.txt -o dirs.txt
here,
-u : url of the target
-w: wordlists
-o: output result into a file

/dashboard is special because there is admin panel login interface for WordPress website. Also check into robots.txt, which is also special for us


Last one is first flag, visit into this and indicate your progress


fsociety.dic is a wordlist, which might will be useful while login into admin panel or dashboard of that website. So open and save it on the machine.


Exploiting

Now visiting into login interface, I try some random username and password it shows


The username is invalid. Now we have to find valid username first and then password. Burp Suite can be useful in this situation. Open Burp Suite, In proxy tab open browser from there and make sure to on the intercept so that all the request goes through the burp proxy.


Login using random username and password in burp's browser.


Now look into Burp, there is something looks like...
POST request that we do in the website reach to destination using that proxy path.


From options, send this into intruder. Here clear all select and only select or add username that you entered so that we can apply payload on username 


Now in payload option paste all the words that found in fsociety.dic and start attack


Now, new attacking tab is opens. Look at the length of the response packet. If there is different length of packet that might be the our result


Here, same is found for user Elliot. Now return back into default browser, where the website is opened, try login using Elliot username and random password. See for the response, It shows different response than previous, that confirms that the username is correct.


Now the turn is, finding correct password. Same process that used to find username can be follow to find the password. But there is another option that can save the time.
There is a tool called Wpscan, that is useful here. Use it and apply fsociety.dic as password list instead other password list can be applied
$ wpscan --url http://10.10.173.33/wp-login.php -U Elliot -P fsocity.dic
Here,
--url : url of the target
-U username or list of users
-P list of password

Scanning looks like, here I restart the machine so different IP address is shown


At the end we found password


Now, Log into the dashboard of the website. To access the shell we have to launch php reverse shell. The code for that can be used from 
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
In editor, locate into 404 template and paste all the code there


After saving it, the malicious code is executed when we visit 404.php page. Also we have to set up listener in host machine or own machine. There are two fields ip amd port in code, we have to change so that ip must be ip of listener machine and port is the port number used for listening purpose by that machine. Set up listener


After visiting 404.php in that website, immediately code is executed and we got shell.


We are daemon user in that machine. For interactive terminal we can use, as python is installed there


 Another flag is there in robot directory but we don't have permission to access it.
 

Password Cracking

Also there is a file with md5 hash of password of the user robot. Now we have to crack that hash to be robot. Luckily we can view the hash,


You can either use JohnTheRipper, Hashcat or online tools to brake the password. I use online tool and found the password.

Privilege Escalation

Now, use username robot and that password to switch into robot user. Now we got second flag out of 3 flags.


Robot doesn't have permission to run sudo command



So Again we have to escalate the privilege in order to find the last flag, which is located in /root directory. So we have to be root. There is a script called LinEnum.sh, which is helpful for Privilege Escalation to find the vulnerable program. Here I set up server in my machine using python and using curl command access it from target shell and run it


After the completion of the scan


The interesting program found here is nmap. Use it to be root.


Now we have the last root flag here


Wrap up

Well done, we got the root. If you are using THM submit all the flag and machine will be terminate. In case of virtualbox you can terminate by your own. 
Exit from the target machine's terminal


We learned about various tools and techniques here. We use tools like nmap, wpscan, BrupSuite, john, hashcat and learn to escalate privilege. This machine was not difficult. Thank you for reading. 
Happy hackers!!

Labels:

Comments

Post a Comment

Popular posts from this blog

RootMe CTF [Writeup] TryHackMe

  Deploy The Machine The machine RootMe is available at TryHackMe .  Start the machine so that target IP is available. Reconnaissance For the number of open ports run nmap. There are 2 ports are open: ssh and http. Apache version 2.4.29 is running. I get this info thru wappalyzer. secure shell or ssh is running on port 22. Apache info also can get by running gobuster. Here for hidden directory I am running gobuster tool $ gobuster dir -u http://10.10.51.16/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Correct answer for hidden directory is /panel/ This means we can upload any file in this /panel page. I think this is the way to getting the shell. reverse shell or binding shell? For that I need to do some google. Oh there is reverse shell mention in that room also. So need to find reverse shell code thru google and upload from that. And access that server's shell thru my machine. Getting a shell I need to upload php reverse shell code in upload section...
Post a Comment
Read more