TryHackMe: Mr. Robot CTF Writeup

Photo by Jason Leung on Unsplash
IP = 10.10.84.57* 
Difficulty: Medium
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux

Brief Description

A Mr. Robot themed machine (I haven't seen the series itself but I will watch it if I have some time to spare.) which involves getting a foothold in a Wordpress site using the sensitive file we will get on the web server. Without further ado, let's get started in hacking!

Reconnaissance

Scoping and Preparation

Connect to Tryhackme OpenVPN Server using:

  • sudo openvpn [.ovpn_file]

I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts file.

1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go 
2. go build .
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

You can also download the release binary by using go install : go install github.com/hambyhacks/CTFRecon-Go@latest

To use CTFRecon-Go if installed using go install:

  • sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

nmap results summary.
nmap scan result.

Nmap result does not give so much information, so we need to proceed to enumerate the web server at port 80 and 443.

Web Enumeration

webpage at port 443(HTTPS).

In the webpage, we can see that there are set of commands that we can use to see how the web server works.

HTML source of webpage.

Looking through the source code, we can see there are some .js files and looking at them does not help me that much because I can't read javascript files properly.

web technologies used.

Using wappalyzer, we managed to enumerate the versions of technologies used the web server. The one that stands out is knowing that the webpage is running WordPress!

Content Discovery

By gut feeling, I typed in the URL search bar robots.txt to see if there are some sort of directories we can look at and voila, we found some interesting files.

robots.txt file.

Files named fsocity.dic and key-1-of-3.txt are listed on robots.txt file. Type that in the URL search bar and download them. ( key-1-of-3.txt is the web flag.)

Let's look inside the contents of the file named fsocity.dic. Just by looking at the file extension, I got some feeling that this file is a dictionary file that we can use for bruteforcing the login in webpage specifically in /wp-login.php. But for the sake of completeness, we will check the contents of the file.

using file command on fsocity.dic

As shown in the image above, using the file command does not give us anything useful. ( if there is something useful, don't hesitate to tell me. I am still a newbie and keeps on learning!)

contents of fsocity.dic

Looking inside the contents of the file fsocity.dic, it seems like a passwords list. Let's check how many lines does the file have.

line count for fsocity.dic

Oof, thats a lot of line count to use in a bruteforcing tool such as hydra. But we can check if those lines are duplicate and remove them. We can use the sort command.

Syntax:

  • sort -u fsocity.dic > [FILENAME_FOR_SORTED_fsocity.dic]

Let's check now if there are improvements for the file.

using sort command to remove duplicate entries in file.

Phew! That's a relief! From 800k+ lines to 11k+ lines. We can now try to use this sorted file in a bruteforce tool such as hydra and etc.

Before that, we can navigate through different endpoints in the web server.

Knowing that the webpage is running WordPress, we can check the login page by visiting the endpoint: /wp-login.php.

/wp-login.php.

We have dictionary for possible usernames and passwords for the machine but 11k lines of words will still take long for us to bruteforce. Since it is a Mr. Robot themed box, the name of characters in the series must be one of the username used in the machine. Searching through google, I looked for the characters list.

mr. robot characters in the series.

Also by reading the wiki, Elliot Alderson is the main character in the series. Let's try if elliot is a possible user in the webpage.

verbose login error.

The login form gives so much verbosity that confirms our guess that elliot is a valid user in the webpage.

There are 2 exploitation paths we can use:

  1. through xmlrpc.php or
  2. bruteforcing the login page at wp-login.php

I used the method 2 because the exploits I found on github are outdated and written in python2 which gives me a lot to troubleshoot. ( I am still learning how to code and will try to implement the exploit using Golang.)

Exploitation

We have a username and possible dictionary of usernames and passwords and we also know that the webpage is running WordPress. We can now try to exploit the webpage by bruteforcing the login page in /wp-login.php

Steps to reproduce

  1. Intercept the login HTTP request at /wp-login.php using Burp Suite.
  2. At the bottom of HTTP request, copy the line that looks like login parameters. (ex: log=elliot&pwd=123123123&wp-submit=Log+In&redirect_to=https%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1)
  3. Using hydra, we can now try to brute force the login form by using the module https-post-form. I removed the parameter redirect_to and added S as success string for hydra to find if it successfully found the password.

Syntax:

  • hydra -l [USERNAME] -P [PASSWORD_LIST] [IP] https-form-post '/wp-login.php:log=elliot&pwd=^PASS^&wp_submit=Log In&testcookie=1:S=Location' -t 64 -I
hydra syntax for using https-form-post.

4. The S string looks for Location header in the HTTP response if it successfully logged in the webpage.

5. After some time, hydra managed to get the credentials for elliot.

found elliot’s credentials using hydra.

6. We can now login through the webpage as elliot.

7. Still we do not have foothold on the internal machine.

8. I created a .php file contains simple and not malicious code, phpinfo().

simple phpinfo() file.

9. We can try to find some upload functionality to test if we can have a shell in the machine.

tried to upload file with .php extension.

10. We tried to upload .php file as media for the post but failed. We can try to confuse the filters and try to upload a .php file.

uploaded a file with .php.jpg extension.

11. Yay! We successfully bypassed the upload filter! But the real question is, will it run?

error in file uploaded.

12. Sadly, there is an error on our file, so we need to find another way to have foothold.

13. Looking at /wp-admin/theme-editor.php, we can edit some code!

14. Let's try to edit some templates specifically 404.php which loads when the web server receives HTTP 404 error as response.

theme editor specifically 404.php

15. But where do we find the templates we just edited? Let's ask google!

location of themes in WordPress.

16. We now know where it resides and the theme we are editing is named twenty-fifteen. We can guess that the theme resides in /wp-content/themes/twenty-fifteen/404.php

successful execution of phpinfo().

17. Since the edited 404.php file can be executed, we can try to edit again the file so we can gain a shell on the machine.

edited the 404.php file to a reverse shell.

18. Using PentestMonkey's php reverse shell, I edited the 404.php to a reverse shell file.

19. Start a netcat listener at your specified port and navigate to /wp-content/themes/twenty-fifteen/404.php

Syntax:

  • nc -lvnp [PORT]

20. Reverse shell should pop after navigating to 404.php!

reverse shell popped!

Table 1.2: Credentials

credentials found on machine.

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Linux privilege escalation checklist.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Navigating through the machine, we can see there is python3 binary and also enumerated the users in the machine which has name robot.

/etc/passwd contents and python3 binary which can be used to upgrade the shell.

Let's look at the /home/robot directory contents.

found md5 hash of robot’s password.

Using CrackStation, we managed to retrieve the password for robot user!

found the cleartext equivalent of robot’s password

Such a simple but long password! We can now move laterally using robot.

robot cannot run sudo.

We cannot use sudo as robot.

Privilege Escalation

Using the checklist above, I looked first if there are SUID binaries that we can use for privilege escalation.

SUID nmap.

We have nmap binary that has SUID permissions! Let's check out GTFOBins to see if we can use this as a vector for privilege escalation. Which turns out we can!

GTFOBins for spawning shell using nmap.

To elevate our privileges:

rooted.

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedback are also appreciated! :D

Donation Box

Not required but appreciated! :D

Socials

Originally published at https://hambyhacks.hashnode.dev.

--

--

--

Self-taught cybersecurity learner :D

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MSBI QUESTIONS AND ANSWER

Create a Java Package to Query a Redshift Cluster

Producter Glossary: Sprint

CS373 Fall 2021 Week of 6 Sep — 12 Sep: Victor Xia

Better Perl: Four list processing best practices with map, grep, and more

A Guide to My Content on Artificial Intelligence

Disputes Among Contractors

disputes among contractors

How to build offline web applications with CouchDB and PouchDB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hamby

hamby

Self-taught cybersecurity learner :D

More from Medium

TryHackMe: AttacktiveDirectory (Walkthrough)

TryHackMe: Overpass 2 — Hacked Writeup

WriteUp — HackTheBox : Backdoor

Pickle Rick TryHackMe CTF Writeup