TryHackMe: Mr. Robot CTF

TryHackMe: Mr. Robot CTF

Difficulty: Medium

Room URL: https://tryhackme.com/room/mrrobot

Scanning

 rustscan -a <IP>        

It was known that port 80, 443 and 22 were running HTTP, HTTPS and SSH respectively.

Upon visiting the website we found some commands that can be run.

I used nikto tool to get additional details.

Then I ran gobuster to do some directory fuzzing.

Dashboard is special because there is admin panel login interface for WordPress website. Also check into robots.txt, which is also special for us.

We have

Last one is first flag, visit into this and indicate your progress

fsociety.dic is a wordlist, which might will be useful while login into admin panel or dashboard of that website. So open and save it on the machine.

fsocity.dic contains wordlist which we can use to bruteforce username and password.

Exploiting

Now visiting into login interface, I try some random username and password it shows



/wp-login.php reveals us login panel of wordpress.

A key thing to note is that the website gives a different response when the username is incorrect compared to when the username is correct but the password is incorrect. This is a significant flaw.

We will exploit this flaw to first obtain the username and then the password.

To do this, enter any username and password, and intercept the request using Burp Suite.

The highlighted section is what we are concerned about. Using this part, we will brute force the username.

hydra -L fsocity.dic -p test {IP} http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username”        

Here we found username Elliot.

When we enter the correct username but an incorrect password, the response is different.

Now that we have the username, let's brute force the password. You can use the Hydra tool for this with a similar command. In my case, Hydra was taking a very long time, so I switched to using WPScan.

And we got password

Username: Elliot, Password: ER28–0652

Let's log in with these credentials.

we have access to wordpress dashboard.

Out best step would be to inject or replace the php file to malicious one. So that when the website runs the php we get ourself reverse shell.For this i will be using php reverse shell from pentestmonkey https://github.com/pentestmonkey/php-reverse-shell

Click update file.

In you attacker machine make netcatlistner ready using nc -lnvp 1234 make sure to use same port.

Looking at the home directory of the robot user, we can see two files: key-2-of-3.txt and password.raw-md5.

We don’t have access to key-2-of-3.txt, but we can read password.raw-md5. Reading the password file reveals what looks like a username and an MD5 encrypted password:

decrypting the password reveals abcdefghijklmnopqrstuvwxyz

l

Lets switch user to robot.


I try searching on https://gtfobins.github.io/ and find its vulnerability.


Thanks for coming


要查看或添加评论,请登录

Vrijanandan Kumar的更多文章

  • Red - TryHackMe Walkthrough

    Red - TryHackMe Walkthrough

    https://tryhackme.com/room/redisl33t Initial Information Gathering We begin our reconnaissance phase with a Nmap scan.

  • Vulnversity — Walkthrough Tryhackme

    Vulnversity — Walkthrough Tryhackme

    Introduction "Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing…

    1 条评论
  • Library Tryhackme

    Library Tryhackme

    Start the VPN you have downloaded and deploy the TryHackMe machine first. Then, ping and check the machine's…

    1 条评论
  • Seppuku | OffSec Writeup

    Seppuku | OffSec Writeup

    Network scanning We used Nmap for port scanning. We used Nmap for port enumeration and discovered the following open…

    1 条评论
  • Tryhackme-GmingServer Walkthrough

    Tryhackme-GmingServer Walkthrough

    Network Enumeration I started the network enumeration by running a port scan using rustscan looking for open ports and…

  • Lazy Admin TryhackMe

    Lazy Admin TryhackMe

    Easy Linux machine to practice your skills Enumeration I started a Rustscan scan and found both an SSH service and a…

  • SQLMAP -TryhackMe Writeup

    SQLMAP -TryhackMe Writeup

    Task 1: Introduction What is Sqlmap ? Sqlmap is an open-source penetration testing tool designed to automate the…

    1 条评论
  • Katana Walkthrough (offsec_lab)

    Katana Walkthrough (offsec_lab)

    https://portal.offsec.

  • MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough) Today I’m going to solve challenge MoneyBox Vulnhub WalkThrough. Offensive Security Edit…

  • Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough) 01.) Target Discovery with Nmap 02.

社区洞察

其他会员也浏览了