Tryhackme Write-up Mr.Robots
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
Let’s start with nmap scan
-A: aggressivescan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.
sV : version detection:great for searching exploits related to that version of the running services
Pn:Treat all hosts as online:skip host discovery
sC: equivalent to script=default
You can type “ man nmap “ view summary options.
Discovered three (3) open ports. SSH , HTTP and HTTPS(443) running on Operating System Linux.
Let us enumerate the server with gobuster directory search.
Inspecting robots.txt , found the first flag
There is also another set wordlists fsocity.dic. Save it and in the terminal see the contents of fsocity.dic.
cat fsocity.dic
Could it contain the username and password. Try bruteforcing it and it is going to take a lot of time using burp or any other method.
I sorted the gobuster directory list status code in ascending order. Basically I would be interested anything with an status code 200. Kept looking in all the directories and in license directory # <Target Machine IP>/license, scroll to end of the view page source and you can find base64 encoded value.
Copy the base64 encoded value and save it as decode.txt.
In the terminal type base64 -d <decode.txt>
In fsocity.dic look for the username and password. It is available and the above method saves lot of time. Bruteforcing would have taken considerable time. You can alternatively sort the data in ascending format and bruteforce the username and password using burp.
Enter the credentials and password in the WordPress Login Page. You can find the page /wp-login from directory search.
We need to find a way to upload a reverse shell to gain initial access to the server. In the Users menu you can find two(2) users and Elliot is the admininstrator. As you keep navigating the site, in the appreance tab you can find a sub-menu “Editor”.
In the Editor page you can find templates on the right section and with .php extension. Click on archive.php , it contains a PHP code. We can replace with reverse shell php code and start a net cat session in Kali Attacker Machine for initial privilege access.
Let us google for a php reverse shell.
Alternatively reverse shell are also avaialble in Kali Attacker Machine.
I am going to copy the php-reverse-shell.php to another directory. Edit the code, update the IP Address and Port and upload into the wordpress Editor.
Against the IP , type Kali Attacker Machine IP and changed it to 1337. Save the file. Copy the contents of the php code and paste in the template of the wordpress page. Scroll to the last section of the page. You will find a button “update”. Click on it.
After clicking on update file , you can see message File edited successfully.
Now, let us test the reverse shell code.
Start a netcat session on port 1337
Open the browser and type the following path — the path where archive.php is located and press enter. As you can see , we got initial shell access.
Let us steady the shell using the command
- python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
- export TERM=xterm-256-color
From the above command the current user is daemon and the UID is 1. Let us navigate to the home directory and we find a key-2-of-3.txt with permission denied. You can find another file called password.raw-md5 . The contents in the password.raw-md5 contains username and password.
We need to decode the md5 hash using hascat tool. Copy the md5 hash to a notepad and name is has.txt.
In the terminal window type the below command and within few seconds the password will be displayed.
We know the username and the decrypted password. Let us login with the username and password.
From the above screen you can that the current user is robot and not daemon. Let us naviagte to the home directory and check if we are able to find the second flag.
We need to find the last flag and we need root access. In Linux machines , we can use the commands to find which files have root access. I will upload linpeas.sh into the target machine and execute the linpeas. The Linpeas will list enumerate all the possible ways or methods to Elevate Privileges on a Linux System.
Start a Simple Python HTTP Server where the LINPEAS.SH is located.
In the Target Machine , I will use wget command to transfet the linpeas.sh from attacker machine. Prior to that I will navigate to tmp folder to avoid any permission issues while transferring the file. As you can use the file is transferred successfully.
Set permission chmod +x linpeas.sh
Type ./linpeas and wait for it to be completed.
In the section SUID , you can find something interesting nmap.
What is SUID ?
SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.
Let us google GTFOBINS and Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell).
And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this method is the easiest. We hope you find it effective and interesting and it helps you to improve.