Today I had a time to check Mr-Robot CTF created by Leon Johnson. It was pretty cool CTF, you should definitely try it. :] Below you will find the details about how I solved it. Here we go...
As usual when machine is ready I started my scan, nmap:
More detailed scan:
Ok, let's check that WWW:
Few results I tried:
And few hints from MrRobot ;>
More people in the room...
... so I decided to go back to our www-shell:
View the source:
So yes, we have some more info about the Wordpress... Back to dirb-results:
I downloaded both file to my Kali box:
Checking the content(s):
More link to gather some details?
Looking what's inside the directory:
In the middle of time I was checking the password for /wp-login.php. Details you'll find below:
I decided to use fsocity-file (but this time I decided to switch to Burp):
After a "while" I wasn't sure if the username 'admin' is good. Next guess was elliot... (anderson/mrrobot/and so on...) checking then:
This was a little bit longer but finally we've got it:
Looks good, so my next step was to create a small www-shell (similar idea was used in Napalm), check it out:
New content (for 404.php) will be now:
Let's get some more details about the machine:
Oh, Bitnami :] looks familiar [1,2,3,4] ;] So I think it's a good time to shell:
Maybe the config of Wordpress is the hint?
After a while I found that I can write to /wp-content/ directory - that was the key:
Looking for other interesting file I found robot user in /home directory with the following files:
Ok, my php-shell file is already there but why there is 0 size?
last cases. Idea to bypass was: base64 for the rever-shell.php, wget it to target machine, and de-base64 the content of the file to another-new-php shell. See below:
Spawning pty to get a better view:
Great, we are now the new user - robot. Key should be possible to read:
When you will look around for some privilege escalations, I think the easies one will be to find the root-exploit for kernel... but the other one will be to check nmap's permissions (here you will find nice post about it):
Sometimes I like to verify the root-access by reading shadow file, so...
... you can also check .bash_history to see how the machine was prepared.
The final 3rd key:
I must say that this was very nice CTF. Not so hard as I thought at the beginning but very good to check anyway. :]
Big thanks goes again to the author as well as to the VulnHub for hosting all of those games!