Mr Robot
In this blog:
- Connecting to OpenVPN.
- NMAP.
- DIRB.
- Foxy Proxy / Burp Suite.
- Hydra.
- WPScan.
- PHP reverse shell.
- Hash-identifier.
- privilege escalation with set binary.
Connecting to OpenVPN (Linux)
Im going to first connect to the open vpn for this box from
my Kali Linux machine.
Click the access link and select your closest region for the
VPN (for a faster, reliable connection). Once the configuration file has been
downloaded, go to the terminal and type ➡️
sudo openvpn path/to/ovpnfile.txt. You should now be
connected to the vpn and be able to access the target ip address.
Back in the TryHackMe room, click start attackbox. Once the target ip address becomes available, copy it.
NMAP
I will start by scanning the IP address
for any open ports. Type sudo nmap -sV -Pn [IP address].
 |
| NMAP command on target machine. |
We see that TCP on port 443 is open and is hosting an Apache based website.
We can visit this through the browser.
We get this interactive website ➡️
 |
| Apache website that our target machine is running. |
Checking the source page doesn’t seem to show anything ➡️
 | ||
| Source code for the website. I’ll try robots.txt. In the search bar, type '<IP address>/robots.txt'.
|
This is the output when you search. This output will show
folders and directories that the creator of the website didn’t want Web
crawlers to index.
Maybe if we type IP address/fsociety.dic into the browser we could get something. Doing so downloads a file. We can CAT the file from the terminal.
 |
| Opening fsocity.dic file. |
Since I got nothing of importance from this file, I will search IP address/key-1-of-3.txt. This gives me the first flag.
 |
| key-1-of-3.txt. |
DIRB
Going back to the fsocity.txt file, I used DIRB to find
other directories in the website.
 |
| Running DIRB to find other directories in the website. |
Following the readme link I get this page ➡️
 |
| Following the readme Directory. |
But then following the login page,
I get to this site ➡️
 |
| WordPress login page revealed. |
Could possibly use Burp or hydra to find the password for this.
Foxy Proxy / Burp Suite
I will use hydra to try and brute force the login page. Before I use hydra,
I will download the FoxyProxy browser extension and configure it
for Burp suite so that I can capture POST requests.
 |
| Creating a Proxy using Foxy Proxy. |
I will type in random credentials after turning intercept on in burp suite.
The developer of this site has unintentionally allowed us to see what the error was when we try to log in.
This is a critical vulnerability that we can take advantage of.
We can paste it at the end of the hydra script so it
knows when it comes across this error, that the login has failed.
 |
| Trying random usernames and passwords reveals security flaw. |
Checking the Proxy tab in Burp suite shows this output now. Look in particular at the last line.
 |
| Using Burp Suite to intercept the POST request. |
This is how the username and password
are POSTed across the network.
Hydra
I will now use hydra from the terminal to try and brute force the login page.
 |
| Brute forcing the username. |
We get the username Elliot.
We can now replace '-L
fsocity.dic -p test' with '-l Elliot -P fsocity.dic' and ': Invalid username' to ':The password you have entered for
the username' as this is the new error message, to brute force the
password.
Note this will take a long time
and I have used -t 30 which runs multiple tasks in parallel
per target.
Checking
the line count in fsocity.dic, there are a lot of lines – 858160 to be exact. So,
this Hydra command will take some time.
 |
| Checking word count on fsocity.dic. |
My machine timed out so I will start a new session and try it with the new target IP address.
WPScan
I am going to use wpscan which is a brute force tool dedicated to WordPress sites.
I will update the database
first.
 |
| Updating WPScan. |
 |
| Password found using WPScan. |
PHP reverse shell
Clicking on Appearance → Editor shows us a list of the pages on the user’s site that we can modify.
 |
| WordPress dashboard on target machine. |
We can use a WordPress reversePHP script to gain access into the website by copying a script and pasting into the code for an existing webpage like the 404 Error page.
Once opened, we can gain a reverse shell access.
G
 |
| Pentestmonkey reverse shell on GitHub. |
Click raw to view the raw code and copy it.
 |
| Raw reverse shell script that we can paste into the 404 error page. |
Now paste it into the code section for the 404 error template.
 | ||
| Changing the 404 error screen to the reverse shell script. Scroll down to where it says //change this.
|
Change the ip to your machine ip and change the port to whatever port you want to listen on.
I will use netcat
in the next screenshot to listen in on port 53 as this is the DNS port and is
rarely closed or obstructed on the outgoing firewall – basically a reliable
port to listen in on.
 |
| Swap with your machine address and port. |
Change the details as necessary and click update.
When trying to listen on port 53, I see that its being used by another process. So by typing fuser -n tcp 53, I can see that it is PID 714. By typing ls /proc, I can see all processes and see 714.
 | ||||
| Finding process ID. Trying again with a reset machine allows me to gain a shell connection with the machine.
Listing the directory lets us find the robot directory in which we find key-2-of-3.txt. When CATed out, we don’t have permission to view it.
|
 |
| Showing file permissions. |
Hash-identifier
 |
| Hashed password to the robot user. |
 |
| Hash-identifier finding what hash it is. |
Now to decrypt it, I will go to Crackstation and see if it can do anything for me.
 |
| Crackstation decrypts the hash. |
The decrypted password for the robot user is just the alphabet.
The length of the password is actually decent but the complexity is lacking so wouldn’t be a highly recommended as simple dictionary attacks can crack such passwords fairly quickly.
When I try to switch users to root
by typing su, it tells me that it must be run from a terminal as
the command can’t be run from a terminal that isn’t interactive.
 |
| Non-interactive shell error. |
I will run a python pty command to
initiate an interactive bash shell after which the su command can be fooled
into thinking we are using a native interactive terminal.
 |
| Spawning an interactive bash session with Python. |
Typing cat key-2-of-3.txt gives us the second flag.
 |
| Key-2-of-3.txt. |
Privilege escalation with set binary
We now need to escalate our
privileges to the root user to find the third flag.
Typing the command find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; gives us all the
different SUIDs on the system. I will now use GTFObins to see if any of these
stand out as an interactive shell provider.
 |
| Command to find SUIDs. |
For example, typing su for sudo in GTFObins gives us this ➡️
 |
| GTFObins on SU. |
There is only one function and that is to access the file system and escalate privileges according to the definition.
 |
| Using NMAP to launch an interactive reverse shell. |
I will type the highlighted commands into the terminal to get an interactive reverse shell.
 |
| Typing the command to gain an interactive shell session. |
We can go into the root directory and find the third key. If I type ‘cat key-3-of-3.txt’, the third and final key will be revealed.
 |
| Key-3-of-3.txt. |
Comments
Post a Comment