TryHackMe CTF Walkthrough - Mr. Robot

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Napoleon like anyone can even know that hi friends in today's walkthrough I'll be doing Mr Robot from try hackme in this beautifully designed easy /medium box we'll run nmap and discover some SSH and web servers on the web server we'll discover a number of hidden directories including encoded login credentials we'll then discover WordPress portal which will log in using these credentials where after we'll use the fact that the user has editor privileges to edit one of the pages and change it for a PHP reverse shell script this will get us on the box whereafter we'll discover other encrypted credentials which we'll use to elevate our Privileges and then finally we'll discover that the suid bit is set on an nmap binary and with a little bit of help from GTFO bins we'll use this Su ID bit to elevate our privileges as roots all right friends me thinks that's enough Del dallying for now so let's get to it okay friends so the first thing I already did was I connected to the try hackme VPN and then after that I just spun up a actual machine for this room and we can see the IP address right there so I just want us to just pay attention that the kind of goal of this room is to find three different Keys uh but for now let's just copy that um and so the first thing I just always like to do is I just like to Ping the machine just to make sure we are actually able to connect connect and we are and so we can proceed and so the first thing I'm going to do is I'm just going to make a directory just going to call it robot and this is kind of just the folder we be working out of for the CTF um and now that that's set up the first actual tool will run not a huge surprise is nmap uh I'm going to run SV which will try and enumerate versions of the different Services running on open ports and then SC which just kind have a whole collection of different standard scripts that will run and maybe that can kind of get more info for us uh then OA which is basically just meaning I'm going to save the results uh in case I wanted to come back in the future it's just kind of like good practice right um and I'm just going to call it in map. results and then finally will provide the IP so I'm just going to paste that and we can run this a few moments later here we can see our results 22 SSH and then we have web server on HTTP 80 and https 443 um something that's kind of a little bit interesting here however is that SSH is said to be closed um so I guess it's worth just spending a quick 30 seconds here and and talking about what that means what does it mean it's closed because you know um isn't Port 23 and 24 and 25 and everyone not listed here closed as well so just so we kind of get down one layer of abstraction and dig a little bit deeper this specific uh inmap query that I ran this is kind of like the most standard one and it's called called the sin scan sin Sy YN also sometimes called a half open scan uh and basically what's happening is if we think of our threeway handshake it's typically sin Sak a right and so it starts like that so we send out a sin and if the port responds with a sin act that is basically telling us that the port is open and what we're going to do after that actually is we don't finish the threea away handshake by sending an act uh we send a reset packet to basically drop the connection immed back in the day the thought was that that is a little bit more stealthy and won't kind of arouse suspicion as much as completing the three-way handshake uh but these days it's not really true but it is still kind of like the default in map scan so so what does it mean when a port is closed when when a port is Clos when I send it a s packet it still responds but it responds with a RSD with a reset packet so what we can really think about is the port is open in the sense that the firewall is not blocking traffic to the port uh but the pter is basically telling me nothing is listening nothing is going to respond to any packets that I'm going to send it right and so the difference between that and a port that's not even listed here is a port that's not even listed when we send it a sin packet we don't get anything back so what we can basically assume at that point is that the firewall has filtered and dropped packets destined to let's say Port 23 24 25 uh so I don't want to go get into this too deep but I think it is always worth understanding the kind of like underlying uh packet mechanics if you will of what's going on here right in any case the first thing that I always like to do if I see there's a web server is to go and see if there's a website so let's do that and I'll open a new tab and we'll just write the IP address um and we can actually see that this is an incredibly cool uh websit with some awesome leite hacker uh animations going on um and these also are actually all commands that you can run in this kind of like faux terminal but just so you are aware none of this actually move our plot forward at least as far as the CTF is concerned as so for now I'm not going to engage in this too much but at the same time obviously if you find this cool and interesting you should go and do that and just I want to say kudos to the artists who went through all the effort to create something so dope yeah and now that we're in a kind of like micro impass the thing that we always like to do obviously in terms of a web server is run directory busting with something like ferox Buster or go Buster right so let's go back and open our terminal um and then right here we'll run gobster and so we'll run gobster uh will enumerate directories I'll specify the URL and um and then further I'll specify the word list um as is usually the case I'll be using SE list from Daniel mesier and I like to First just run the raft medium lowercase uh for directories and finally I'll just save it to this same directory as Custer do results a few moments later okay friends so that took quite some time uh we can see here we have a lot of results but we also have some 400s and 300s and you know redirects and stuff I'm not really interested in so I am going to cat out the results and I'm going to grip for 200 uh and you can see this way we only see the ones that are actually responding uh so sitemap is not that interesting to us and WP login is of interest to us because WP most likely stands for WordPress so there's probably a portal we can attempt to log in there um and then there's a few other things that are interesting um specifically these three I'd like to go have a look at uh so let's do that uh and so the first thing we'll do is go to robots uh which is probably the robots.txt file uh it is um and for those of you that don't know this is always worth checking whether there's a robots file because what this is the function of it is to tell where crawlers to not index these specific files uh and so here I'm just going to make this much bigger uh we can see two files here right the first one seems like perhaps one of our three keys um and then the other one seems like a dictionary file this is usually word list that's often used for password cracking and then if it's probably supposed to say Society um I think that is also a shout out to Mr Robot and so the first thing is let's actually just go there and see if we can find a key um and that appears to be one of the keys let's have a look great and it is let's go back to this tab and I will copy that and let's go there most likely a file that's going to ask us to download uh yes indeed and so we can download that and so let's go look at our gobster results again and so something else here that's interesting is read me and license right uh so let's get a read me okay cool so fun little kind of cryptic messaging um at the same time let's uh look at the page Source but actually I would say more than the page Source let's go to inspect right and most people often prefer page source and it makes a lot of sense because it's much cleaner and easier to kind of like just visually Gro this has a much more kind of noise and often toggles you have to open here but there are situations in which the inspector context menu uh is going to reveal information that the page source is not going to reveal to you uh so I think it's always worth having a look um and then next I believe the third one we said was kind of interesting was license correct okay so it's kind of like you know it's a hacker disc bro it's throwing down lead hacker dises to us um and we can have a look here um and we can see the text here uh but we can see something really cool as well is there seems to be some encrypted or encoded message what appears to be Bas 64 and I know that because of the equal sign in the end and so let's just kind of like copy write that down um and then you know you you can use a cyber Shi if you want at the same time when it's just base 64 um I like to just use some sometimes something called Bas 64 decode simple site um because we're assuming at this point that it is B 64 and we can see right here it actually was able to crack it I'm just going to make this bigger again and we can see right here what looks to be credentials right it looks like a username Elliot is obviously the you know primary protagonist from Mr Robot and then this which I'm going to assume for now is the password uh it's another reference to Mr Robot it was actually his employee number right so let's copy that now let's go back uh to our gobster results one more time uh intro I'm going to assume is the landing page and then sitemap is usually not that interesting to us um and then W config for now we can kind of leave that on the back burner the last one now that stands out here is the WordPress login and since we just found credentials uh why don't we going and see if mayhaps uh these credentials work uh for the WordPress login so I'm going to close the inspector menu and we can go WP login and I'm just going to make things a normal-ish size again and so let's fill in the Cades that we found on the license page and let's see if we can log in uh and indeed we can log in now guys if you have access if you're able to access a WordPress uh site like this uh there are many different things to see whether you are able to kind of directly exploit WordPress or or perhaps exploit one of the WordPress plugins right um but I'm not going to go through that entire process now uh but if you are a beginner and you find yourself able to get into a a WordPress portal like that uh then you can do worse to just go to a page called hatrick um and I'm just going to write hatrix WordPress um and you'll see here is an entire kind of like comprehensive guide of all different things you can try and see uh how you're perhaps able to use WordPress to kind of like you know further progress or or exploit or get a shell in the box of stuff like that uh this would be extensive to follow this entire Journey here right now so I'll just kind of reveal to you that one of the things we're able to do as this user now logged in is a major no no in terms of weak security settings that they've configured and so we'll go here to appearance and we'll go to edit so what you can actually see here are a bunch of the pages of the website um and here's the thing guys is this like for instance right now here we'll look at the PHP code for 404.php so if I were to go to 1010 949 404.php it's basically this code that will execute right that will send a request to the web server to execute that code now here's the thing we're able to edit this code so we can literally go and delete that and change this to anything we want and what will we most likely want well we want something that we'll be able to connect back to a listener on our system that will give us a shell on the web server and so since this is PHP we'll use a PHP script that will help us get a reverse shell and so far as it goes for reverse shell scripts uh I really like to use revell.com right and here you can see on the left is a wide variety of different type of shells we can get and then here we can specify the port and our IP and and it's going to embed it right there inside of our script now for PHP we can see there's a wide variety and I really like pantes monkey and you'll see it's a very very common and popular script as far as PHP is concerned because it works really well right so the port right now is 901 I'm just going to leave it like that obviously this is most likely not our actual IP and so let's just go see what our actual IP is and of course we can get that with IPA and I can see my IP right there so I'll copy that and we'll head back to rev shells uh and right there I'll change it and we can see it automatically adjusted the actual script and so now it's also kind of reminding me what our listener has to be but in any case uh we have our script right here so all I'm going to do is copy it I'm going to head back here I'm going to paste it and let's just kind of like 100% make sure it has our IP yes it does and I'm going to update the file so now guys uh when I run uh and I visit 404.php which I'm not going to do right now it is going to execute this code and once that code executes it's going to try and form a reverse connection to this IP which is our IP and so obviously the thing that's missing right now is an actual listener uh and so I'll just run netcat lvmp and we said 901 right and so we're listening and now I can basically hit enter it executed the code and let's see and indeed we can see right there that we have a shell so I'm just going to run the following simple command I'm just going to paste it right in from Python and this is just going to um upgrade our shell uh so let's go into home and we can see there's basically one folder there robot let's have a look here and we can see two things of interest obviously the first thing is uh what appears to be the second key um but we can see that we're not able to read it right um and then the other thing is this password which seems to me right now indicates it's a a saved password um and it's hashed as md5 so let's just cut that out and it seems again to be credentials and it seems this time that it's for the username robot um this is their password hashed right in md5 now if we weren't sure this was md5 or if we thought there's some uh you know deception at work here uh we could use a program like hash identifier there's other apps you can use to to actually specifically identif if it right so now we might be tempted to immediately use something like John and hashcat uh to crack this and of course we could certainly do that uh but before we do that there's always a potential quick and easy win and that quick and easy win is by using a rainbow table right so for those of you that don't know a rainbow table is just a database of uh hashes that have already been kind of precracked I'm going to give it this hash and it's just going to look hey have I cracked this hash before before is there a record of it so the first thing I always like to do is I just like to go to something called crack station. net and see whether or not there's a rainbow table entry for this I'm going to make this a little bit bigger and let's like that let's crack it and we can see immediately when it's green it means it was successful uh and we can see here that it was md5 and was able to crack it and it's basically A to Z this is a great example of a password that is very solid from a Brute Force point of view because it's got 26 characters but it's very weak from a dictionary attack point of view because it's a very predictable string right so let's copy this and then let's head back to our terminal and so here in our terminal let's Su switch user to robot um I'm going to paste the password and we are robots great and so now we should most likely be able to have a look at the second key and indeed we can right there right so you can go ahead and obviously paste that in and so now we have one final key and uh I'm just going to make an assumption at this point that that key uh we're able to get if we Elevate to rout because just from having done a lot of ctfs in the past and also considering this is an easy CTF that just seems like the most obvious pathway for us to get the final key all right so maybe we can actually have a look if that key is in root but we're actually not even allowed to look at the contents of root and there's obviously a number of things we can do here to kind of start seeing how we could potentially escalate our privilege we can run something like Len enam or Len PE and it can kind of like you know give us some indications and if you have no experience with Linux privilege escalation I recommend uh the modules on trackme and also TCM the Cyber Mentor has an excellent course on Linux privilege escalation so there's a few kind of like what we can say core approaches to Linux priv escalation and the one I'm going to use here is a very popular one which we can call you know abusing suid binaries so I'm going to just paste the whole command here right now but don't worry I know it seems somewhat overwhelming uh we're going to go through it all right so before we look at the results even let me just break this whole command down and tell you exactly what's going on there right so the first thing we can see here is basically the find and we're pointing at the kind of like root of the drive this all this does it basically initiates a search and we start at the root directory right so we're going to search the entire Drive uh and then the the key here really is this perm plus 6000 which you know it's kind of very cryptic unless you know uh what it means and it basically it says only find files that have the suid or SG ID bitet and that is represented by the octal code 6000 it's just something you'll have to learn and very briefly guys what is Su ID bits sometimes an admin wants to give a user the ability to run a specific program or binary as admin but they don't want to give them the ability to log in as an admin user and just have kind of like General admin rights and so when they set the suid bit on a specific binary what that allows is when a regular user executes it they'll execute it not as themselves but as the owner of the file and let's assume in this case the owner of the file is root which effectively means a regular user running that file will run that file as root and this part basically just indicates that don't show me any error messages again this seems kind of weird and cryptic I actually love this command to just means standard error and dave. null in case you didn't knowe on a Linux system is a black hole what do I mean is if you throw something in that folder it disappears forever so what I'm literally saying here is all the errors redirected to the black hole to dave. null meaning just go away and finally we'll pipe to grip and we're basically going to say only output results that are in a directory called bin in other words a binary so this is our output and you can see we have quite a lot now here's the thing friends you would actually expect a lot of these binaries to Output in a normal default situation and that doesn't at all mean that you're able to abuse it quite the cont contrary and and so what you will be required to do here uh is to be able to look at this list and identify which one of these is a usual one I would expect to have the Su ID bit set and which one is unusual because it's really the unusual ones that we're interested in now if you're a beginner the next question might be well how the hell do I know that how do I look at this list and tell what's usual unusual well obviously it comes with experience it comes with running this command on a lot of systems and just knowing some of these things you see again and again and can't be abused right and if you don't have that experience yet and you will just go and copy and paste these binaries one by one uh in a website I'm about to show you shortly to see whether or not it has the potential to be abused uh in any case I'm going to tell you right now that everything here is usual and not really able to abuse except this last one except for n map right uh and again I know that because I've seen a lot of these outputs so that one immediately popped out to me as well because of the kind of like unusual directory right it's not the same directory as all the others now that we know the nmap binary is potentially abusable what do we do with that info well there is an magical site called GTFO BS and uh if it's not yet bookmarked then and bookmark this because this is something you will use a lot and you can go ahead and read here but these are literally instructions how we can go about abusing them to potentially Elevate our privileges or to get a shell or you know to upgrade our shell Etc and so as I said the unusual entry there was nmap and we can see indeed it has an entry for nmap so let's go there and we can see here a variety of different instructions uh or strategies that we might go ahead and and try to kind of you know Elevate our privileges and so here we're going to attempt this specific method so I'm going to paste that and we can see now we're kind of in end map like it showed uh so we'll just shebang and shell and see if that gives us a shell and now if we say who am I we can see where're root so what exactly happened here guys well as I told you the N map has the suid bits set meaning when we run it we run it as root so we ran nmap but we basically summoned an interactive kind of like a console or terminal interface right and so then here in our new nmap interface which again remember we're running as root I just used shebang sh because what that did is that invoked or created a new shell for us and so now we have this new shell but because that new shell was spawned from a binary running as root the shell is now a root shell and so let's just go and see what is in root and we can see right there there's key three of three so let's just go ahead and C it out and that's our third key guys and now that we've paed the box like Elite hack swur it's obviously time for the victory dance guys so please get up of your chair and join [Applause] me [Applause] all right friends that's it for this week's walkthrough please keep an eye out for another CTF walkthrough next week because it will obviously be awesome but until then peace [Music] [Applause] [Music] out [Applause]
Info
Channel: faan ross
Views: 1,759
Rating: undefined out of 5
Keywords:
Id: YpJwIPP8lII
Channel Id: undefined
Length: 25min 29sec (1529 seconds)
Published: Sat Nov 18 2023
Related Videos
I Hacked & Exposed This Fake Website for Educational Purposes - CTF
thehackerish
154K
TryHackMe! Abusing SETUID Binaries - Vulnversity
John Hammond
138K
HackTheBox Chatterbox CTF walkthrough - Found Credentials + Buffer Overflow
faan ross
137
NahamCon CTF 2023: Web Challenge Walkthroughs
CryptoCat
9.3K
HackTheBox Devel CTF walkthrough - Privilege Escalation via Kernel Exploitation with Metasploit
faan ross
374
[UPDATED] The Complete Windows Privilege Escalation | TryHackMe Windows Privesc
Motasem Hamdan
27K
HUGE Upset Victory - $1500 PC Secret Shopper 3 - Part 4
Linus Tech Tips
505K
Hack Your First Server using Kali Linux
pentestTV
8.7K
Advent of Code 2023: Day 20 (Lead/Gold)
Kay Lack
1.9K
TryHackMe! Skynet - Wildcard Injection
John Hammond
104K
HackTheBox Devel CTF walkthrough - Privilege Escalation via Kernel Exploitation Manual Approach
faan ross
1.1K
Windows Pentest Tutorial (Active Directory Game Over!)
David Bombal
201K
Nmap Tutorial for Beginners
An0n Ali
13K
Learn TypeScript Generics In 13 Minutes
Web Dev Simplified
54K
NMAP Revealed: Unleash the Ultimate Hacker Tool
pentestTV
16K
SQLi, SSTI & Docker Escapes / Mounted Folders - HackTheBox University CTF "GoodGame"
John Hammond
69K
Explaining Your Job To Your Boomer Boss | Mr. Robot
Mr. Robot
1.1M
File Inclusion Vulnerability Explained | TryHackMe Junior Penetration Tester
Motasem Hamdan
52K
PicoCTF 2022 #01 - WELCOME & Basic File Exploit
John Hammond
131K
Tarkov Arena: Good Tourney, Bad Launch | ScavTalk Podcast
ScavTalkPodcast
1.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.