Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
Mr. Robot CTF - TryHackMe Room
What is key 1?
First of all, start with a port scan: sudo nmap -sV 10.10.157.176
- Open ports
PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 443/tcp open ssl/http Apache httpd
Use gobuster
for folder/file enumeration: gobuster dir -u https://10.10.157.176 -k -w /usr/share/wordlists/dirb/big.txt
In the following path https://10.10.157.176/robots.txt
we found this text:
User-agent: *
fsocity.dic
key-1-of-3.txt
Download https://10.10.157.176/fsocity.dic
file.
And the first key is in https://10.10.157.176/key-1-of-3.txt
.
What is key 2?
Surfing to the website we find a login page: https://10.10.157.176/wp-login.php
.
At the beginning of fsocity.dic
there are some potentially usernames (mrrobot, Robot, Elliot).
I tried Elliot
in the fogot password page https://10.10.157.176/wp-login.php?action=lostpassword
and I received confirm of the correct username.
Use wpscan
to perform a dictionary attack on login page.
wpscan --disable-tls-checks --url https://10.10.157.176/wp-login.php -U Elliot -P /home/yami/Desktop/thm/fsocity.dic
It will take a long time to find the correct password, because it is at the end of the wordlist of more than 800000 words. Password is ER28–0652.
Now we have credentials to enter in the wordpress management page.
We are admin so we can upload a reverse shell inside Appearance –> Editor –> 404.php.
On local machine use nc -nvlp 9000
and execute via browser https://ip-address/wp-content/themes/twentyfifteen/404.php.
When we will be inside, we’ll land such as daemon user.
There is a chance to make the present shell more stable by using Python’s Pty module:
Go to /home/robot/
.
We have to crack md5 hash to find robot’s password. Use John The Ripper.
Now we have user password to catch the second key.
What is key 3?
Now we have to perform privilege escalation. We have to find some vulnerabilities in the kernel or in some files.
For privilege escalation we can use either LinPEAS or LinEnum tools which will identify potential vectors for PE in the target server. In order to scan the system, we’ll need to transfer one of the scripts to the victim machine. For this purpose we can use SimpleHTTPServer Python module.
But we also can run the following command which searches for all files having SUID bit set: find / -perm -u=s -type f 2>/dev/null
TryHackMe hint suggested nmap. It is version 3.81 and it has an interactive mode in which nmap runs with “sudo” privileges. (https://vk9-sec.com/nmap-privilege-escalation/).
We can find third key under /root
.
References: