MrRobots - tryhackme
Created on Sat 24 Oct 2020
I'm finally back it feels like ages even if its only been around a month. I just had to complete a few things before being able to do some THM stuff. This room is really cool a bit of WordPress and some privileged escalation.
Reconnaissance
Nothing much just the regular scans
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-08 13:55 CEST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:55
Completed NSE at 13:55, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:55
Completed NSE at 13:55, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:55
Completed NSE at 13:55, 0.00s elapsed
Initiating Ping Scan at 13:55
Scanning 10.10.169.43 [2 ports]
Completed Ping Scan at 13:55, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:55
Completed Parallel DNS resolution of 1 host. at 13:55, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 0, DR: 1, SF: 4, TR: 4, CN: 0]
Initiating Connect Scan at 13:55
Scanning 10.10.169.43 [65535 ports]
Discovered open port 80/tcp on 10.10.169.43
Discovered open port 443/tcp on 10.10.169.43
Connect Scan Timing: About 19.78% done; ETC: 13:58 (0:02:06 remaining)
Connect Scan Timing: About 46.86% done; ETC: 13:57 (0:01:09 remaining)
Completed Connect Scan at 13:57, 126.31s elapsed (65535 total ports)
Initiating Service scan at 13:57
Scanning 2 services on 10.10.169.43
Completed Service scan at 13:58, 12.28s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.169.43.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 9.15s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 2.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Nmap scan report for 10.10.169.43
Host is up, received syn-ack (0.043s latency).
Scanned at 2020-09-08 13:55:42 CEST for 150s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp closed ssh conn-refused
80/tcp open http syn-ack Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http syn-ack Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
| SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
| -----BEGIN CERTIFICATE-----
| MIIBqzCCARQCCQCgSfELirADCzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDDA93
| d3cuZXhhbXBsZS5jb20wHhcNMTUwOTE2MTA0NTAzWhcNMjUwOTEzMTA0NTAzWjAa
| MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
| MIGJAoGBANlxG/38e8Dy/mxwZzBboYF64tu1n8c2zsWOw8FFU0azQFxv7RPKcGwt
| sALkdAMkNcWS7J930xGamdCZPdoRY4hhfesLIshZxpyk6NoYBkmtx+GfwrrLh6mU
| yvsyno29GAlqYWfffzXRoibdDtGTn9NeMqXobVTTKTaR0BGspOS5AgMBAAEwDQYJ
| KoZIhvcNAQEFBQADgYEASfG0dH3x4/XaN6IWwaKo8XeRStjYTy/uBJEBUERlP17X
| 1TooZOYbvgFAqK8DPOl7EkzASVeu0mS5orfptWjOZ/UWVZujSNj7uu7QR4vbNERx
| ncZrydr7FklpkIN5Bj8SYc94JI9GsrHip4mpbystXkxncoOVESjRBES/iatbkl0=
|_-----END CERTIFICATE-----
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.34 seconds
Seeing port 80 open I decide to run a gobuster scan and in parallel inspect robots.txt where I find this:
User-agent: *
fsocity.dic
key-1-of-3.txt
I decide to download the 2 files, the first one is a giant dictionary with a lot of duplicates and the second is just a flag. After messing around the website a bit more. I found the famous WordPress login page.
The WordPress login system is a bit broken and ended up leaking most of the usernames.
Exploitation
The first bit of the exploitation was very straight forward brute force the login and then the password.
From that username and password I am able to access the wp-admin page. From there I moved to the plugins section and added in my own code to an existing plugin:
With that reverse shell embedded we can gain access to the machine by launching the plugin!
Privilege Escalation
I think this was the easiest privilege escalation I have done in a while! With the shell ready I moved to the /home folder and inspected what user existed and what could I read.
daemon@linux:/$ cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b # md5: abcdefghijklmnopqrstuvwxyz
With that being the first thing I found I decided to just su into the account robot and see what I can do from there. I then moved on to looking for SUID binaries and found that nmap was set as a SUID binary with the help of gtfobins I was able to obtain root!
Thank you for reading, check out my other write-ups and follow me if you like what it do :)
Categories
My tryhackme account
thm-badge-workflow
A github workflow to add your tryhackme stats to your github profile.
store | How it was build | repoLinks
Questions / Feedback
Donate
If you like the content of my website you can help me out by donating through my github sponsors page.