Skip to main content

TryHackMe - Mr Robot

 TryHackMe - Mr Robot



1. First step as always is a nmap scan. So we have http, https and ssh port open.



2. Then I took a look at the robots file using curl. This can also be done in a browser. Here I found our first key and also a dictionary file. I used curl to display the key and downloaded the dictionary file using wget. Key is 073403c8a58a1f80d943455fb30724b9



3. I also started dirbuster at the beginning the moment I knew port 80 was open and found a login page within.


4. Now an interesting thing about a wordpress login page is that it tells you separately whether your username was correct or not.

5. I used burpsuite to brute force the login form using the given dictionary file. I captured the request and then sent it to intruder. Here I used a cluster bomb attack on the username and password positions. However I recommend using hydra unless you have the pro version of burpsuite.



6. A different length value suggest an anomaly. Thus I tried the corresponding values to it with username as Elliot and password as true. The error message states that the password is incorrect however this is a direct hint to the username being correct. The next step is to brute force this login form again by using the username as Elliot.


7. This time I tried to use hydra to explain bruteforce using another software. And I actually came up with tons of passwords for it. But all of them were wrong for some reason. So I tried it again by using wpscan the next time.



8. A look at fsocity.dic tells us that it contains lots of duplicate words. So I filtered it through sort and saved unique words in another file. The command that I used for this is: sort --unique --ignore-case fsocity.dic > fsocity2.dic

9. Then I used this file as a wordlist to brute force the login form in order to obtain the password. For this I used wpscan and the command is: wpscan --url http://10.10.232.12 --usernames Elliot --passwords fsocity2.dic --password-attack wp-login.


So after half an hour I finally stumbled upon the password of Elliot:ER28-0652

10. I also tried using these credentials to ssh into the server but wasn't able to.

11. My next approach was using a reverse shell to get a shell into the server.

12. For this I downloaded a php-reverse-shell script from this link and changed the IP address to my machine's. NOTE: kali already has this file. Try finding it. HINT: its under webshells

13. Then I started a listener on my server using: nc -lvnp 1234

14. Then I logged into the wordpress server and followed this path Appearance --> Editor --> 404.php. Here I pasted the php-reverse-shell code and went to this page using curl. You can also normally browser to it using any browser.

15. And voila I got a reverse shell. I changed my shell using: python -c 'import pty; pty.spawn("/bin/bash")' Then I went to the home folder and was able to locate the 2nd key but wasn't allowed to access it and got a permission denied. But then I looked at the other file.



16. The interesting thing to notice here is how two strings are separated by a colon. This is sometimes used to refer a username and password combination. We also have a hint that this is a password encrypted using md5. So my next step was to decrypt it using crackstation.net. The result was abcdefghijklmnopqrstuvwxyz.



17. Then I used su to switch to another account (robot in this case)



 18. This last step took me ages to find. I used find to look for all of the files that had the SUID bit on. The command was: find / -perm -u=s 2>/dev/null

19. Then I ran the same command on my system and compared there output. The interesting thing was that nmap was listed on the target server.




20. This felt like I was onto something. Looking into this I found that the version of nmap was very old and it had a feature called interactive which would allow me to have a nmap shell into the system.

21. Then I tried the id command and saw that my effective user ID was of root. Privilege escalation has been successfully completed. The last step was to browser to the root folder and cat the 3rd key.




Labels:

Comments

Post a Comment

Popular posts from this blog

Hacktober CTF - Writeup

  HACKTOBER CTF   This post contains the writeups for: l  Crypto n  Hail Caesar n  Down The Wrong Path l  Forensics n  Captured Memories n  Amcaching In n  Prefetch Perfection n  Prefetch Perfection 2 l  Linux n  Talking to the dead 1 n  Talking to the dead 2 l  Programming n  Message in an array n  Trick or treat l  Steganography n  You believe in ghosts n  Start digging n  Blasphemy   1 OSINT         n Creeping 1        n  Creeping 2         n Creeping 3         n Past Attacks       Hail Caesar In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU   And thus the flag is flag{ BOO...
2 comments
Read more

RESTCON CTF

CTFtime   RESTCON CTF   This blog post consists of writeups for :- Basic Basic : 1 Basic : 2 Broken Garbage OSINT The Discovery   Forensic Magic : 1 Dance Monkey   BASIC   Basic : 1 Solution: You just have to take the mirror image of the given string. Flag: RESTCON{RESTCON_FLAG}     Basic : 2 Solution: The equal sign at the end signifies that it has been encrypted using base. So I used CyberChef to convert it using base64. Flag: RESTCON{RESTCON_2ND_BASIC_FLAG}     Broken Solution: The flag was just an inspect away Flag: RESTCON{H1DD3N}     Garbage Solution: A simple strings of the file returned the flag Flag: RESTCON{GR3P_7HE_FL4G}       OSINT The Discovery Solution: I used google search as my first step towards OSINT and found that the given image is of venetian hotel macau room. Then I googled its CEO and found his name on the wikipedia page. Flag: RESTCON{Sheldon_Adelson}       FORENSIC Magic : 1 Sol...
Post a Comment
Read more

Krypton Walkthrough

Krypton Walkthrough Level 1 >> Level 2 Level 2 >> Level 3 Level 3 >> Level 4 Level 4 >> Level 5 Level 5 >> Level 6 Level 6 >> Level 7 Level 1 >> Level 2 Hint Read the question carefully. Solution 1. SSH into the server with username as krypton1 and password as KRYPTONISGREAT $ ssh krypton1@krypton.labs.overthewire.org -p 2231 2. The next step is to find the file upon which we'll be practising. This information is provided in the previous level. So lets hop onto the location. $ cd /krypton/ $ ls $ cd krypton1 3. Reading the README file gives us the answer to try skipping that and directly cat the other file $ cat krypton2 OUTPUT: YRIRY GJB CNFFJBEQ EBGGRA 4. With practice you'll be able to recognize this cipher. Also you can use an online service called boxentriq for recognizing the cipher. It'll also help you in breaking it. As of now the cipher is rot13 which is a caesar cipher with key as 13. The way rot13 works is that it adds 13...
Post a Comment
Read more