Skip to main content

TryHackMe - Mr Robot

 TryHackMe - Mr Robot



1. First step as always is a nmap scan. So we have http, https and ssh port open.



2. Then I took a look at the robots file using curl. This can also be done in a browser. Here I found our first key and also a dictionary file. I used curl to display the key and downloaded the dictionary file using wget. Key is 073403c8a58a1f80d943455fb30724b9



3. I also started dirbuster at the beginning the moment I knew port 80 was open and found a login page within.


4. Now an interesting thing about a wordpress login page is that it tells you separately whether your username was correct or not.

5. I used burpsuite to brute force the login form using the given dictionary file. I captured the request and then sent it to intruder. Here I used a cluster bomb attack on the username and password positions. However I recommend using hydra unless you have the pro version of burpsuite.



6. A different length value suggest an anomaly. Thus I tried the corresponding values to it with username as Elliot and password as true. The error message states that the password is incorrect however this is a direct hint to the username being correct. The next step is to brute force this login form again by using the username as Elliot.


7. This time I tried to use hydra to explain bruteforce using another software. And I actually came up with tons of passwords for it. But all of them were wrong for some reason. So I tried it again by using wpscan the next time.



8. A look at fsocity.dic tells us that it contains lots of duplicate words. So I filtered it through sort and saved unique words in another file. The command that I used for this is: sort --unique --ignore-case fsocity.dic > fsocity2.dic

9. Then I used this file as a wordlist to brute force the login form in order to obtain the password. For this I used wpscan and the command is: wpscan --url http://10.10.232.12 --usernames Elliot --passwords fsocity2.dic --password-attack wp-login.


So after half an hour I finally stumbled upon the password of Elliot:ER28-0652

10. I also tried using these credentials to ssh into the server but wasn't able to.

11. My next approach was using a reverse shell to get a shell into the server.

12. For this I downloaded a php-reverse-shell script from this link and changed the IP address to my machine's. NOTE: kali already has this file. Try finding it. HINT: its under webshells

13. Then I started a listener on my server using: nc -lvnp 1234

14. Then I logged into the wordpress server and followed this path Appearance --> Editor --> 404.php. Here I pasted the php-reverse-shell code and went to this page using curl. You can also normally browser to it using any browser.

15. And voila I got a reverse shell. I changed my shell using: python -c 'import pty; pty.spawn("/bin/bash")' Then I went to the home folder and was able to locate the 2nd key but wasn't allowed to access it and got a permission denied. But then I looked at the other file.



16. The interesting thing to notice here is how two strings are separated by a colon. This is sometimes used to refer a username and password combination. We also have a hint that this is a password encrypted using md5. So my next step was to decrypt it using crackstation.net. The result was abcdefghijklmnopqrstuvwxyz.



17. Then I used su to switch to another account (robot in this case)



 18. This last step took me ages to find. I used find to look for all of the files that had the SUID bit on. The command was: find / -perm -u=s 2>/dev/null

19. Then I ran the same command on my system and compared there output. The interesting thing was that nmap was listed on the target server.




20. This felt like I was onto something. Looking into this I found that the version of nmap was very old and it had a feature called interactive which would allow me to have a nmap shell into the system.

21. Then I tried the id command and saw that my effective user ID was of root. Privilege escalation has been successfully completed. The last step was to browser to the root folder and cat the 3rd key.




Labels:

Comments

Post a Comment

Popular posts from this blog

Hacktober CTF - Writeup

  HACKTOBER CTF   This post contains the writeups for: l  Crypto n  Hail Caesar n  Down The Wrong Path l  Forensics n  Captured Memories n  Amcaching In n  Prefetch Perfection n  Prefetch Perfection 2 l  Linux n  Talking to the dead 1 n  Talking to the dead 2 l  Programming n  Message in an array n  Trick or treat l  Steganography n  You believe in ghosts n  Start digging n  Blasphemy   1 OSINT         n Creeping 1        n  Creeping 2         n Creeping 3         n Past Attacks       Hail Caesar In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU   And thus the flag is flag{ BOO SCARED YOU }           Down The Wrong Path The given image shows a transposition cipher.   So reading it in a similar fashion results in this message: REMEMBER TO TELL SPOOKYBOI ABOUT THE NEW TARGETS OF OUR NEXT ATTACK   So
2 comments
Read more

CyberYoddha CTF - Writeup

  This blog post contains the writeups for the following challenges :- Misc Lorem Ipsum Forensics Image Viewer The row beneath What's the password Steg 2 Steg Ultimate Cryptography Beware the Ides of March Sus Reverse Engineering Password 1 Trivia Trivia 1 Trivia 3 Trivia 4 Trivia 5 Trivia 7 Trivia 8 LOREM IPSUM The given text when googled will give you the original text and you'll realise that the given text has some additional characters attached to some words. Lorem ipsum dolor/c/ sit amet, consectetur/y/ adipiscing /c/elit, sed do/t/ eiusmod tempor inci/f/didunt ut labore et dolore magna aliqua/l/. Ut enim ad minim/a/ veniam, quis/t/ nostrud exercitation ullamco/i/ laboris nisi/n/ ut aliquip ex ea/i/ commodo/s/ consequat. Duis /c/aute irure dolor in reprehenderit in voluptate velit /o/esse cillum dolore eu fugiat nulla pariatur. Excepteur /o/sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim /l/id est laborum. Extracting all these character
2 comments
Read more

C4ptur3-th3-fl4g Walkthrough

TryHackMe c4ptur3-th3-fl4g Walkthrough Task - 1 Translation and Shifting Question 1 -  c4n y0u c4p7u23 7h3 f149? Solution -  This one's quite simple. This is called leet in which the text is written with modified spellings with the help of numbers in place of some characters. The answer for this one is - can you capture the flag? Question 2 -  01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Solution -  This is written in binary as you can see that every set of 1's and 0's (separated by space) is a string of 8 numbers. So you can use any online resource such as  rapidtables  to convert binary to ascii. The answer for this is -  lets try some binary out! Question 3 -  MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== HINT :  Having an equal sign at the end of
Post a Comment
Read more