how to face a CTF challenge (MR Robot - Vulnhub)

Z43L

Member
Joined
Oct 1, 2023
Messages
31
Hellcoins
♆59
In this small tutorial we are going to be looking at the methodology or at least my methodology since this depends on people but deep down it is always similar and even if you have a methodology
Sometimes you can't follow the usual methodology, that depends a lot on the machine, but we are going to be seeing more or less how we can deal with it.
a CTF challenge without dying in the attempt for this tutorial and I decided to use the MR Robot machine from Vulnhub since it is very iconic I think that the most veterans at least once
We have done it for that reason and because it is also FREE, like all the machines on the Vulnhub platform, so we downloaded it from the following link

https://www.vulnhub.com/entry/mr-robot-1,151/

and we install it like any OVA. In my case, I usually create a rednat in which I put my kali linux machine and the machine to be violated, so it is easier for me to detect
the IP of the victim machine but wow I know of people on bridge adapter but wow I only do that when I'm in lazy mode lying in bed and I do the machine with my cell phone from termux
Once we have set up the laboratory we can start by starting the kali and the MR Robot machine and here is what I said made me more comfortable
put it in a rednat because when it comes to enumerating the network in search of device IP, only the MRRobot machine and mine will appear, well another one also appears in the middle, that one, I don't know exactly where it comes from, it seems to me that it's a long time ago. bridge for the network but here I threw a triple I don't know exactly why but now we will see it instead if we put it in a bridge adapter it will appear to you all the devices that you have connected to your wifi (in my case many I suppose that you too) and it is because That's why I recommend creating a separate network in which you put the kali and the machine to be violated because you're going to kill your head less.
Without further ado, sometimes I get too involved, we will use netdiscover to list all the devices on the network and since we want it to search the entire network, we put -r to make it recursive and /24 to indicate the subnet, in your case it can be /16 , /8 but if you haven't touched anything and you have /24 by default
Code:
sudo netdiscover -r 10.0.2.15/24
1697877681614.png


As you can see, there is what Master 2 told you: the ones from PCS Systemtechnik GmbH are from virtualbox, normally it is usually the last one but there is no way to know until you do an nmap and the one that has open ports is the one. There will be better ways to know, surely, but this is my way, so let's do the nmap.
Code:
sudo nmap -sS -sCV --min-rate 5000 -v -n -vvv -Pn -p- 10.0.2.5 -oN robot-nmap

This is my default nmap scan for CTF. I find it very practical and quite fast and it tells you the ports, services and versions all at once and this is what it returns.

1697877767609.png

Ok now it's time to go see what we find on the website, preferably through port 80 because it is less secure but of course let's not neglect 443 because sometimes they can have different pages which is not the case but you have to have it consider. Upon entering the website we find the following, a website in the form of an interactive console fsociety roll that I can imagine what I am referring to (vulnhub machines are usually themed in the style of movies, series or things like that, they are very cool)
1697877819069.png

Another thing that many people neglect to do, the first thing is to review the html because sometimes we can find some interesting js out there, including comments from the developers, but on this page there is nothing to highlight

1697877858945.png
So we move on to the next crucial phase in CTFs and in any web penetration test, which is searching for directories. I like to use feroxbuster for its ease and convenience, but it is true that if it has many routes or even sometimes the feroxbuster It bugs a little (developers, if you read this, please solve it) because the way it shows the data is very friendly and attractive to see, but if there are many directories and paths, it creates a mess there, so then I move on to using gobuster. or dirbuster sometimes more dirbuster because it is graphic and makes it easier for me to see
In this case I used Feroxbuster and the command is very simple, that's why I like it because when you install it in Kali, it already takes the dictionary by default and you don't even have to bother putting it in.

Code:
feroxbuster http://10.0.2.5/

1697877906831.png

I haven't let it finish just what it had started, but don't worry, if there is a directory that doesn't appear here, I'll be mentioning it later. I've only stopped this so you can see that I don't know about you, but personally I think it's a very attractive way to see it with the colors in the status codes the redirects that also show them on the right in orange which is super practical my favorite tool for directory discovery
nothing, in the screenshot we already see little things we see that it has a wordpress that maybe in the future we can do something with it but I am not going to reveal anything. A piece of advice about CTFs is that sometimes they are tricky, what do I mean by this? For example, this is the mr robot machine because it has a web page configuration file that is sometimes hidden but it is always good to look at it just in case, as it usually already contains information. What is relevant is the robots.txt (Here the trap is, the machine is called Mr. Robot because a clue is in the robots.txt) this is what I was referring to, that sometimes they are a bit elaborate, normally when you launch the nmap it usually tells you if the robots are there. txt visible but either I'm blind or something or he hasn't told me, I don't know why it usually does it automatically when we put the -sCV parameters, which are basic recognition scripts, well, I'm going off on another file talking about what to look at In case there is the robots.txt, it is another file calledsistemap.xml that contains, as the extension indicates, an xml with all the web routes, it even hides them, this for the bug bounty is pure gold since you don't even have to do a active recognition to get the routes (Advice always keep an eye on these two files just in case it doesn't cost anything and can help a lot) well, in robots.txt we have this

1697877945439.png

And this is good, I don't know if I explained it well before but these are two files that are indexed on the server but are not visible to a fuzzer like feroxbuster and apparently we have a dictionary (fsociety.dic) and the first of the 3 keys To complete the challenge, what we do is basically search for those routes in the browser and the files will be downloaded automatically.


1697877990125.png
Here we already have the dictionary that we can use later for something because this is a CTF there are some more realistic but others more like this more game, puzzle and in the other url we already have the first key


1697878032094.png

Since we have a dictionary we can brute force with hydra to find out the user and then we will force the password but let's go in parts as the dictionary has repeated words we are going to do a grep with the uniq command and saving the result in another new dictionary but with only unique names

Code:
sort fsocity.dic | uniq > fsocityuniq.dic

Now that we only have singles, we can start using hydra and we have saved ourselves a couple of hours, but even so we will have to wait a while, I already warned that this machine is slow, why is it that almost all the intrusion requires using a dictionary?

1697878103451.png

There we see that there are 3 names that match because it returns the answers in which it answers "that the user is invalid" so we know that those three users exist so we try to launch another attack with wpscan to find the password. those users so we need to create a mini dictionary with the users that we have, you already know nano or whatever you use so you put it in and we use the following simple wpscan command to brute force or through find the password

Code:
wpscan -U usuarios -P fsocityuniq.dic --url http://10.0.2.5/wp-login.php
1697878149508.png

As we can see, it took a fairly short 6 minutes and we have already found the password for the 3 of us, which in this case is going to be the same for the 3 of us. I imagine that you already know what it is time to enter the wordpress now, I am going to enter with ELLIOT and a once we are inside we find a classic wordpress administrator panel as we have seen before well I don't remember if in the screenshot that I gave you about feroxbuster the /wp-admin/upload.php appears but if you have done it you will have seen it since that is always very attractive to see

Well, the objective here is to upload a file, no matter what, if we manage to upload a revershell, for the lazy ones, I'll leave you a clue. It's in plugins. Upload the plugin and since it's not sanitized, we don't need to do anything, just upload the revershell in PHP and then it will tell us. It seems that it could not be installed but it would have been uploaded and the url will appear where we have to enter where the image library is so we go there and copy the url

1697878183562.png

IMPORTANT before entering the url remember to listen for the port that you have indicated in the revershell

Code:
nc -lnvp 9999

1697878232910.png
As we see, we are as the daemon user. What we have to do now is change to the robot user. To start, we go to the /home/robot directory. We see that there is a file that smells very bad (normally it is not that easy) that contains the robot's encrypted password in MD5 so let's use hascat

Code:
hashcat -m 0 -a 0 robotpass  ~/Descargas/rockyou.txt
1697878278948.png

and there we have the decrypted password so we can connect via ssh (IF IT WAS OPEN) but since it is closed we can do it from the machine directly or with su from the shell obtained before, once inside we can see the second key

1697878311400.png
miremos haber si hay algun suid que nos permita escalar privilegios y ponernos como root para ello
1697878333891.png

From here, without trying much, what I found quickly was a couple that seemed strange to me, but after 2 with the nmap one I already got the answer, wow, the suid was missing and to exploit it very simple, 2 commands
1697878396610.png
1697878406683.png





Thank you very much for reading and until next time
 
Top