At present we’re going to take a crack on the Mr. Robot CTF on Attempt Hack Me. I need to say earlier than we begin that I like the design of this lab! The web site is so cool, and so effectively thought out, it was simply good. I actually encourage you to have a look at all of the movies, it is fairly hackery.😀
Once you’re prepared, put in your FSOCIETY hoodie and let’s hack the world!
As soon as your machine is loaded, we are able to begin with our primary enumeration. First issues first, after we open up the IP tackle of the machine in our browser we’re met with a command-line like web site. Every command that you just kind in will load a video, so it is probably not that essential (however you may test it out if you would like).
Mhh, we are able to see that our ssh port is closed. There’s a ssl/http port that’s of curiosity although. Let’s run a gobuster scan to see which directories we are able to enumerate.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <your machine IP> -t 50
We are able to see that our robots.txt mentions a
key-1-of-3.txt file. It additionally has a
fsocity.dic file which comprises a listing of passwords. Save this file as a result of we’ll want it later. Let’s navigate to it:
We can’t get fairly far and not using a username and password (duh!). If we run a wpscan scan on our web utility to see if we are able to discover a person, we are able to see that we get nothing helpful (besides the WordPress model which we may possibly exploit).
wpscan --url http://<your machine IP>/wp-login --enumerate u
We have now one in all two choices now: manually making an attempt completely different usernames or making use of Burp Suite’s intruder to discover a username. After I first did this CTF, I attempted my luck by going with the obvious usernames: MrRobot and Elliot.
Now that we’ve got a username, we are able to return to wpscan (or in my case I selected hydra) and enumerate by means of our fsocity.dic file that we downloaded above to discover a legitimate password for Elliot.
export ip=<your machine IP>
hydra -l Elliot -P ./Downloads/fsocity.dic $ip -V http-form-post '/wp.login.php:log^USER^PASS^&wp-submit=Log In&testcookie=1:S=Location'
From right here on, our subsequent strikes are fairly commonplace. Let’s have a look at if we are able to run a reverse shell utilizing php by pasting our shell within the 404.php file within the theme editor. Bear in mind to save lots of this new file. You may obtain the reverse shell from pentestmonkey, and keep in mind to replace the IP tackle with the tackle of your OPENVPN (not your machine IP!) and insert the port of your alternative (I left it at 1234).
Let’s have a look at if we are able to crack this password hash. Head over to Crackstation and enter this hash.
Let’s have a look at what person we’re at the moment by operating
whoami. We’re operating as daemon, however we are able to log into the person robotic’s account since we’ve got the password (the one we simply cracked)!
Now that we’re logged in as robotic, let’s then see what binaries we are able to entry(to see if we are able to escalate our privilege through exploiting our binary library).
discover / -perm -u=s -type f 2>/dev/null
The binary /nmap seems to be prmising. Head over to GTFObins and browse up on how we are able to escalate our privilege utilizing this library. We have to run an interactive shell which can give us root entry.
There is a bunch of steps I took in between that did not pan out into something. There weren’t any vulnerabilities for the WordPress model, in case you had been questioning. Finally, it was fairly a straightforward CTF! 😁
I hope this was straightforward sufficient so that you can observe, and till subsequent time, comfortable hacking!
See extra on my GitHub.