THM — Mr Robot CTF

Nmap, gobuster, base64 decoder,sort,uniq,burpsuite, turbointruder, php reverseshell, netcat,crackstation,find,gtfobin

9 min readNov 28, 2020

Nmap

kali@kali:~$ sudo nmap -sC -sV -O 10.10.151.156
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-26 22:48 EST
Nmap scan report for 10.10.151.156
Host is up (0.35s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
Device type: general purpose|specialized|storage-misc|WAP|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|2.4.X (90%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:2.4
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Linux 3.10 - 4.11 (90%), Linux 3.2 - 3.8 (90%), Crestron XPanel control system (89%), Linux 3.13 (89%), Linux 3.13 or 4.2 (89%), Linux 3.16 (89%), Linux 3.2 - 3.5 (89%), Linux 4.4 (89%), HP P2000 G3 NAS device (89%)
No exact OS matches for host (test conditions non-ideal).OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.40 seconds

Since port 80 is open, let’s try to enumerate that port for hidden directories using gobuster.

gobuster dir -u 10.10.151.156 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt

Results:

While we wait for the gobuster results, let’s manually explore the webpage on port 80.

We see a terminal-like interface. After trying some Linux commands, you will know that it is not a terminal, but an application of the website.

Found a login page.

Tried to login in with admin:admin, but the error shows an invalid username. This means that there might be a possibility that when we enter the correct username a different error message will show.

Make sure to check every single page from your gobuster list, and you might be able to find important clues. Below is one example.

Inspect the page and you will be able to find the hidden clue.

/////////////This part was updated when I have already logged into Elliot’s account. If I have tried to decode this earlier I would have cleared this box even faster. But it was still good practice to follow through the process of trying to find out the credentials.

I used base64 decoder.

/////////////////////////////////////

No clues for the page below.

Found the first key.

By going to /key-1-of-3.txt we got out first key.

Next, let’s head to /fsocity.dic , and it prompted us to view a file.

It contains a list of strings. I spotted the name Elliot, which I decided to try using on the login page.

It seems that Elliot is a legitimate username that we can try to brute force.

Recall the list earlier, this could potentially hold the password that is needed to login into Elliot’s account.

After looking through the list in more detail, it seems that there are some words that are repeated.

First, let’s do a line count on the fscocity.dic file.

That is quite a big file with many lines. Let’s sort the file and only print out each string once. Take note, if you use uniq with the -u flag, it will only print out unique lines.

Example:

Somefile.txt:
1
2
3
3
4
4
5
5
6
6

Using: sort somefile.txt | uniq -u > somefile2.txt

Gives:

somefile2.txt:
1
2

All numbers that are duplicated will be deleted.

But if you only want to delete the duplicates ones and still keep all numbers there, use: sort somefile.txt | uniq > somefile2.txt

Gives:

somefile2.txt:
1
2
3
4
5
6

So let’s head back to do that on our fsocity.dic file. Now we can see below, the total number of lines have been significantly reduced.

Now, let’s use burp suite to brute force the login page.

Capture the post request and send it to burp. Highlight and right-click the parameter (in this case would be the string: ‘pass’) and sent it to the turbo intruder.

Make sure the parameter you want to attack has the input %s.

Start the attack and you will find out what Elliot’s password is, by finding the password with a 302 response.

With the password found, we can log in to Elliot’s account.

Again, make sure to check out every single thing on the account.

Just testing to see how the blog works.

You can see the post that I have created, but nothing much here.

I found out something interesting which is in the appearance section.

I see that I was able to upload a theme. Was thinking if I could upload a PHP reverse shell and somehow run it on their server.

Uploaded my reverse shell.

Tried to install it, but it didn't work.

In the editor’s tab, found a page where you can edit some files.

Realized that there are many templates that are using PHP code.

Since there are templates like 404.php, archive.php, and a comments.php, was thinking if there is a way to write a reverse shell through these templates file and execute it.

But first I need to find out where and how I can run this code to make sure my reverse shellcode gets executed.

Let’s start with the 404.php file, as it would be easier to execute this file because, any website we try to enter that is not in the web directory, will show a 404 page not found error. Which in return will execute the PHP code.

You could also use other templates archive.php or even index.php, but you need to know the exact web path (where it is located) to execute the code.

Notice the error code above in the 404.php file:

'Oops! That page can&rsquo;t be found.''It looks like nothing was found at this location. Maybe try a search?'

If we enter any random website like for example: http://10.10.187.199/abc123

It can be anything, in this case, I input abc123.

Below it shows the same error as we have seen above in the 404 template. This means we could paste our reverse shellcode in the 404 template, and execute it when we enter a random website.

Just to prove that this error page is based on the 404 template. I added some random string in the template and update the file.

We can see below the string “TESTTESTTESTTEST” appeared as the error message.

Now, let’s paste our reverse shellcode in.

You could get your reverse shellcode here.

Set your THM VPN IP, as that is the IP address that will receive the connection.

Set the correct port you are listening to.

Hit the update file bottom.

Set your Netcat listener.

Now, refresh or input another random web directory and we should get a shell on our terminal.

We could upgrade our shell using this command:python -c ‘import pty; pty.spawn(“/bin/bash”)’

It seems we do not have permission to cat our the second key, but the user robot has. Let’s look into the password.raw-md5.

I used CrackStation to crack the md5 password.

Now we can try and switch to the user robot and see if we can read the second key.

Next, to get the last flag probably got something to do with privilege escalation. I got kind of stuck for this part even with the hint from THM (hint:nmap). It is part of the learning process, anyway, after looking through one of the writeups, we need to find a map suid file.

You can use this command: find / -perm -u=s -type f 2>/dev/null