Connected to the network using the configuration pack alloted to me. I deployed the machine and got the ip. (I was having problems so I redeployed the machine a couple of times so the ips may vary)
Flag 1
As usual first ran a masscan on the system.
masscan -p 1-65535 10.10.50.122 -e tun0 --rate=1000
This gave me two ports 80,443. Then I ran a nmap scan.
nmap -A -p 80,443 10.10.50.122
Now we know there is an apache web server running. I know it is a webserver so I ran dirb while I manually looked at the website.
First impressions of the website was “Thats a lot of effort put into it.”
There was terminal like input fields and if you typed help it gave the commands. I manually tried a little bit of fuzzing but seemed to get me nowhere so I started visiting the webpages by typing in the commands they gave us.
If you’ve watched Mr.Robot you will understand what the commands led to, the videos and pictures, essentially pointing out “flaws in todays societies”, it seemed very theme oriented to the show.
I did notice that as I typed in the commands it led me to different web pages. I tried a random web page test and it led me to a wordpress error page. So I know that it’s built on wordpress. I tried some more fuzzing and exploring to see how everything worked and get it mapped in burp sitemap.
I also got the wp-login page which is the wordpress login page to the blog. I tried common passwords and usernames, sqli nothing really gave me the login but I did notice that it mentioned that username was incorrect. I began bruteforcing it against a common admin username list while continuing looking at the website.
The dirb that I had run gave quite a few 200 status websites so I visited them manually to see what they were. A lot of them like /readme were essentially trolls/useless data. Until robots.
This led me to the first flag but also a file which contained what looks like a wordlist. My initial brute against the login didn’t yield anything so I downloaded this wordlist.
I got the flag by visiting /key-1-of-3.txt and similarly /fsocity.dic for the wordlist.
Flag 2
I opened the wordlist and its 85000+ words that’s a bit much to brute directly. In a HTB box I came across cewl which generates a wordlist essentially by spidering through a website. It’s a custom wordlist tool. This wordlist looked similar to that and the sheer number of words meant I had to find a way to cut it down. I found a online duplicate word remover tool and cut the size to about 11000, its still not great but 1/8th the size is an improvement. Next I wrote a script to remove any words that were less than 5 characters which further reduced the list to 8000, finding no more improvements I ran the brute. This was a risky move because it could have filtered out the correct words but that wasn’t the case and I was able to get it.
#!/usr/bin/env python3
wordlist = open("fsocity.dic", "r")
final = open("reduced.txt","w")
words = wordlist.read().split('\n')
for item in words:
if len(item) >= 5:
final.write("%s\n" % item)
The username was found almost instantly as Elliot. The password in burp was taking too long as the free version has a rate limit so I stopped the password brute. This is when I switched to OWASP Zap which was much faster.
Got the password as ER28-0652
We have signed in as Elliot which is an Administrator acoount. At this point I was a little stuck as to how to proceed next. I tried uploading a php reverse shell via a media upload section in wordpress which didn’t work out. So I did some research.
I found a website that detailed how to get shells in a wordpress based website, here
The technique I used was to redefine the error 404 page such that everytime it was called it would send a shell to my attacking machine. The code that I inserted into the 404 page is here. Firstly, I upgraded it to a full shell using python3.
Now to find the flag. The home directory had a robot user which when opened revealed two files, the second key and a file called password.raw-md5. I tried to acess the key but was denied acess. On checking again I noticed the shell was opened by user daemon. The second file on being opened revealed the user robot and the password hash. Upon looking up the hash online I found the hash to be ‘abcdefghijklmnopqrstuvwxyz’.
So now I had the username and password to user robot and by switching user I got the flag.
Flag 3
Now I asssumed the next step was privilege escalation. I follow Gotmilks privilege escalation. I didn’t really get much until I hit the suid portion. By running
find / -user root -perm 4000 -print 2>/dev/null
I came across nmap installation in usr/local/bin which looked interesting. I was able to run nmap and then spawn a shell through nmap which gave me root acess. Thereafter the process was just using cat to display the /root folder contents and get the flag.
Copy Link