MrRobots - tryhackme

go back / p4p1


Created on Sat 24 Oct 2020



I'm finally back it feels like ages even if its only been around a month. I just had to complete a few things before being able to do some THM stuff. This room is really cool a bit of WordPress and some privileged escalation.

Reconnaissance

Nothing much just the regular scans

          
            Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-08 13:55 CEST
            NSE: Loaded 151 scripts for scanning.
            NSE: Script Pre-scanning.
            NSE: Starting runlevel 1 (of 3) scan.
            Initiating NSE at 13:55
            Completed NSE at 13:55, 0.00s elapsed
            NSE: Starting runlevel 2 (of 3) scan.
            Initiating NSE at 13:55
            Completed NSE at 13:55, 0.00s elapsed
            NSE: Starting runlevel 3 (of 3) scan.
            Initiating NSE at 13:55
            Completed NSE at 13:55, 0.00s elapsed
            Initiating Ping Scan at 13:55
            Scanning 10.10.169.43 [2 ports]
            Completed Ping Scan at 13:55, 0.04s elapsed (1 total hosts)
            Initiating Parallel DNS resolution of 1 host. at 13:55
            Completed Parallel DNS resolution of 1 host. at 13:55, 0.03s elapsed
            DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 0, DR: 1, SF: 4, TR: 4, CN: 0]
            Initiating Connect Scan at 13:55
            Scanning 10.10.169.43 [65535 ports]
            Discovered open port 80/tcp on 10.10.169.43
            Discovered open port 443/tcp on 10.10.169.43
            Connect Scan Timing: About 19.78% done; ETC: 13:58 (0:02:06 remaining)
            Connect Scan Timing: About 46.86% done; ETC: 13:57 (0:01:09 remaining)
            Completed Connect Scan at 13:57, 126.31s elapsed (65535 total ports)
            Initiating Service scan at 13:57
            Scanning 2 services on 10.10.169.43
            Completed Service scan at 13:58, 12.28s elapsed (2 services on 1 host)
            NSE: Script scanning 10.10.169.43.
            NSE: Starting runlevel 1 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 9.15s elapsed
            NSE: Starting runlevel 2 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 2.07s elapsed
            NSE: Starting runlevel 3 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 0.00s elapsed
            Nmap scan report for 10.10.169.43
            Host is up, received syn-ack (0.043s latency).
            Scanned at 2020-09-08 13:55:42 CEST for 150s
            Not shown: 65532 filtered ports
            Reason: 65532 no-responses
            PORT    STATE  SERVICE  REASON       VERSION
            22/tcp  closed ssh      conn-refused
            80/tcp  open   http     syn-ack      Apache httpd
            |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
            | http-methods: 
            |_  Supported Methods: GET HEAD POST OPTIONS
            |_http-title: Site doesn't have a title (text/html).
            443/tcp open   ssl/http syn-ack      Apache httpd
            |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
            | http-methods: 
            |_  Supported Methods: GET HEAD POST OPTIONS
            |_http-server-header: Apache
            |_http-title: Site doesn't have a title (text/html).
            | ssl-cert: Subject: commonName=www.example.com
            | Issuer: commonName=www.example.com
            | Public Key type: rsa
            | Public Key bits: 1024
            | Signature Algorithm: sha1WithRSAEncryption
            | Not valid before: 2015-09-16T10:45:03
            | Not valid after:  2025-09-13T10:45:03
            | MD5:   3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
            | SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
            | -----BEGIN CERTIFICATE-----
            | MIIBqzCCARQCCQCgSfELirADCzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDDA93
            | d3cuZXhhbXBsZS5jb20wHhcNMTUwOTE2MTA0NTAzWhcNMjUwOTEzMTA0NTAzWjAa
            | MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
            | MIGJAoGBANlxG/38e8Dy/mxwZzBboYF64tu1n8c2zsWOw8FFU0azQFxv7RPKcGwt
            | sALkdAMkNcWS7J930xGamdCZPdoRY4hhfesLIshZxpyk6NoYBkmtx+GfwrrLh6mU
            | yvsyno29GAlqYWfffzXRoibdDtGTn9NeMqXobVTTKTaR0BGspOS5AgMBAAEwDQYJ
            | KoZIhvcNAQEFBQADgYEASfG0dH3x4/XaN6IWwaKo8XeRStjYTy/uBJEBUERlP17X
            | 1TooZOYbvgFAqK8DPOl7EkzASVeu0mS5orfptWjOZ/UWVZujSNj7uu7QR4vbNERx
            | ncZrydr7FklpkIN5Bj8SYc94JI9GsrHip4mpbystXkxncoOVESjRBES/iatbkl0=
            |_-----END CERTIFICATE-----

            NSE: Script Post-scanning.
            NSE: Starting runlevel 1 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 0.00s elapsed
            NSE: Starting runlevel 2 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 0.00s elapsed
            NSE: Starting runlevel 3 (of 3) scan.
            Initiating NSE at 13:58
            Completed NSE at 13:58, 0.00s elapsed
            Read data files from: /usr/bin/../share/nmap
            Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
            Nmap done: 1 IP address (1 host up) scanned in 150.34 seconds
          
        

Seeing port 80 open I decide to run a gobuster scan and in parallel inspect robots.txt where I find this:

          
            User-agent: *
            fsocity.dic
            key-1-of-3.txt
          
        

I decide to download the 2 files, the first one is a giant dictionary with a lot of duplicates and the second is just a flag. After messing around the website a bit more. I found the famous WordPress login page.

The WordPress login system is a bit broken and ended up leaking most of the usernames.

Exploitation

The first bit of the exploitation was very straight forward brute force the login and then the password.

From that username and password I am able to access the wp-admin page. From there I moved to the plugins section and added in my own code to an existing plugin:

With that reverse shell embedded we can gain access to the machine by launching the plugin!

Privilege Escalation

I think this was the easiest privilege escalation I have done in a while! With the shell ready I moved to the /home folder and inspected what user existed and what could I read.

          
          daemon@linux:/$ cat /home/robot/password.raw-md5
          robot:c3fcd3d76192e4007dfb496cca67e13b # md5: abcdefghijklmnopqrstuvwxyz
          
        

With that being the first thing I found I decided to just su into the account robot and see what I can do from there. I then moved on to looking for SUID binaries and found that nmap was set as a SUID binary with the help of gtfobins I was able to obtain root!


Thank you for reading, check out my other write-ups and follow me if you like what it do :)

My tryhackme account