This is the first write up I have done in a while and the first I have done for THM! This one is quite a long one as there are a few more steps with it being rated as an intermediate room, but if you work through it logically you can do it!
If you need help finding these, please check out my links page, the ones I’ve listed are ones that don’t come by default with Kali.
PHP Reverse Shell
BurpSuite (If your unsure how to use this, please complete the room THM has on this)
From the brief, there was nothing much to gain other than there are 3 flags to capture and they are listed as key 1 etc. I’m guessing they wont be called that. Having never watched Mr Robot I’m hoping this doesn’t put me at a disadvantage.
Like all CTF’s, I started out by doing my nmap scan with my usual syntax
nmap -sC -Pn -sV -oN ./nmap/initial <TARGET_IP>
I found these results from nmap
So looks like my main option is going to be through the website
From the website, it is a console emulation program that is running on the site, from the interaction when this loaded I knew this was a honeypot so decided to try it another way.
I did a Gobuster scan using the syntax below
gobuster dir -u <TARGET_IP> -w /usr/share/wordlists/dirbuster/big.txt -x html,php,txt
From this scan I found quite a few directories, the 2 that I’m interested in though are the robots.txt and wp-login.
going to the robots.txt file I found two interesting files.
Well, key 1 of 3 sounds great so i opened that and got my first key, I then download the .dic file.
From reading this I could tell it was a genuine dictionary file so I’m guessing some password cracking is coming up.
So, onto the wp-login page,
I knew from looking at this that I didn’t have a username or password so after checking the page source code quickly to see if any names were contained within it like code comments or messages I decided to try the dictionary to get me the username and password.
Luckily…… It gives me an error telling me my username was invalid so I captured the login request using burpsuite and got the below.
That last line is exactly what I’m looking for so I can build my hydra command which was
hydra -L fsocity.dic -p guessing <TARGET_IP> http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1:F=Invalid username"
Hydra came back really quickly and I was able to get the username
Now just a slight modification to my hydra syntax and I’ve got the password too!
hydra -l Elliot -P fsocity.dic 10.10.129.236 http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1:S=302"
And we are logged in!!
Getting a Shell
So, I appreciate at this point there is a few different ways I could do this and had a few things go through my head, but I decided to go with installing a PHP Reverse shell set up to act as plugin for WordPress so I’m going with that.
If you don’t have one already made, that’s fine, use the PHP Reverse Shell from Pentest Monkey then paste the code below into line 2 (The comment block).
If your using this for the first time, scroll down and change the IP address to your IP and port to whatever port you want to set your listener on.
/* Plugin Name: Super Safe Plugin Plugin URI: http://mindyour.biz Description: This is super not suspicious Version: 1.0 Author: Trustworthy Person Author URI: http://trust.me Text Domain: shell Domain Path: /languages */
Once you have your zip file upload into WordPress as a plugin but don’t activate it just yet.
We need to set a listener up first on our Kali machine (or whatever machine your using). The 9002 is the port I set within my PHP reverse shell.
nc -lvnp 9002
Once I have my listener set, i can click “Activate” on the WordPress page and I’ve got my shell.
From here I’m going to find what I can access, I decided to start with home directories, there was only 1 user though.
cd home cd robot
In here, I found 2 files, one was the key which I tried to read but I couldn’t because of my rights, the other a very vulnerable looking MD5!
Well, since this is named md5….. I’m going to go with this is MD5, I could have put this through Hashcat but in all seriousness I used crackstation just because it was quicker to copy what I had in front of me into there.
That took literally no time at all and I’ve got the password for the robot account.
So this is where I ran into a snag as i couldn’t use the su command to switch users in my current shell so I need to upgrade my shell and upgrade my privileges.
Time for Uprades!
So my plan from this point forward, upgrade my shell, switch to the robot user then escalate my privilege.
I learnt a really quick way to upgrade these from an article from ropnop which is in my useful links, if you didnt know how to do this, I really want you to go read the link and learn it!
python -c 'import pty; pty.spawn("/bin/bash")'
From there we can get key 2!
So now I had my user account I knew I was working on the assumption the final flag was in root as i couldn’t access it!!
I decided to use LinPEAS so I uploaded this with a HTTP Server (which I started within the terminal from the folder I had this saved in to make it easier)
This is where something like Tilix really helps as you can easily have your webserver running in the same console window.
To start the webserver, run this command from a terminal that is not your reverse shell (this command is case sensitive).
python -m SimpleHTTPServer
Then in your reverse shell first go into the temp folder with
Once in the temp folder, again on your reverse shell you can use the command below to download LinPEAS into the targets tmp directory.
Once youve downloaded this, LinPEAS needs marking as an executable with
chmod +x linpeas.sh
This can then be run with
Once this has run there is a lot of information on there, I usually go to the SUID section first for privesc and on our Target Machine this is what it came back with.
When LinPEAS marks something in yellow, you know its gotta be good. Even without that, NMAP having a SUID does stand out.
So I checked the version just by typing nmap into the command line and found it was version 3.81, didn’t some previous versions have an interactive mode?????
I used that and indeed it did have interactive mode available
It was then a simple command to then get a shell
So lets go to the root directory and see what we find
And we have our final key!!
I realise this is probably a long writeup, but I wanted to cover everything just incase anyone reading was having trouble with this room.
I really liked this room as it tries to grab your attention with the website first and when your past that, it does use a lot of different skills which if you didn’t already have, would be a great way to learn them.
Thanks to ben at tryhackme for the challenge!