4.8 KiB
TryHackMe-MrRobotCTF
NMAP
Nmap scan report for 10.10.200.232
Host is up (0.23s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.16 seconds
PORT 80
Looking at robots.txt
which is just a basic enumeration looking for these files
We have two files here fscoiety.dic
which looks like a wordlist and key-1-of-3.txt
which has the first flag
Gobuster
/images (Status: 301)
/index.php (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/wp-login.php (Status: 200)
/css (Status: 301)
/rss2 (Status: 301)
/license (Status: 200)
/wp-includes (Status: 301)
This was the list of directories I was able to find but only wp-login
was of our interest rest of them were giving forbidden access messages
So we need to know the usernames , there isn't any username on the blog so we might have to do trial and error to guess it but we have fsociety.dic
that might be useful for usernames so let's intercept the login request to get paramters and then start bruteforcing it with hydra
But it's going to take a lot of time bruteforcing against a list of usernames so as this box has theme of mr robot and the main character of that series is elliot
So this username is correct all we need to do is bruteforce against the words in fsociety.dic but picking the first word which is true
it has 150 matches so it has a number of words repeated in it so we need to remove repeated words (I checked this through sublime's regex mode)
You see the difference in the repeated words
Perfect now let's continue with intercepting the request and bruteforcing it against hydra
But hydra was taking longer than usual so I moved to wspcan to bruteforce elliot's password
Now go to Appearance -> Editor
Then select the Twenty Fifteen theme and paste the php reverse-shell from pentest monkey (GitHub one)
Click on the update button
Stablize the shell
In the home directory of robot
we can see a md5 hash that we need to crack inorder to switch user
We can see a cronjob running on the system
Looking for SUID we find nmap having SUID bit
Going to GTFOBINS