The write up for a room in TryHackMe named Mr. Robot.
To deploy the Mr Robot virtual machine, you will first need to connect to our network.
After connecting to the server you will see this on your access page.
Once you are connected to the server successfully then you have to deploy your machine.
So after deploying the machine on TryHackMe portal, we get an IP to access this machine. It is going to be different for every time you deploy it, so your ROOM-IP might be different from mine.
We need to know what services are running behind the scenes and what ports are open. So we are going to use a tool called Nmap.
$nmap -A <TARGET IP> -oN nmap.txt
Having ports 80 and 443 indicates we have a website running, so we open http://10.10.44.213 and https://10.10.44.213 on our browser
Now that we know the target is running a web server we should do a directory brute force scan to see what’s available. You can use dirbuster or dirb but I like to use gobuster.
Similar in concept to password brute-forcing we are taking a list of words contained in a file and using them as search queries against the web server. If it returns a 20x or 30x status code then we know something is there.
So we will be using a tool called gobuster, which uses an existing wordlist of possible common directories name and will try to load every directory name in that wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster)
gobuster dir -u http://10.10.44.213/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 30 -o directories.txt
Now let’s take a look directory with status code 200
BINGO!! Opening 10.10.44.213/key-1–of-3.txt
Now we just have to add this .txt file into our URL.
Key 1: Captured!
The robots file has two leads, one that takes you straight to the first flag and another that leads you deeper into the challenge.
When you browse to http://<ip-address>/fsocity.dic you are prompted to open/download a file. Keep this in your back pocket as we will use it in just a bit.
One of the results from our gobuster scan was /wp-admin so that should definitely be on our list of things to check out.
So “admin/admin” doesn’t work, no surprise, but notice what the error message says - “invalid username”
So what is a valid username? The CTF itself is inspired by the TV show “Mr Robot” and the main character’s name is Elliot (even if I didn’t know that already from watching the show it is easy to search on the internet) so let’s give it a go.
Boom!! The application confirms that it has an account named Elliot but we didn’t give it the right password. That’s ok, we have ways of dealing with that particular problem
Password Brute Forcing
Do you remember that file called fsocity.dic that we downloaded earlier? If you take a look at it in a text editor (or the command line) you will find that it is simply a wordlist. Presumably one of the words in this file is the password to Elliot’s WordPress account.
Now’s let’s take a look at fsociety.dic
If each word is on a line by itself and you do a line count of the file you will see that there are 858,160 words.
That’s a big file and there are probably duplicates in there so let’s see if we can trim it down some.
You can use the sort and uniq commands to…sort and remove duplicates.
There is a useful tool that comes bundled with Kali called WPScan. It is primarily a vulnerability scanner for WordPress sites but it also happens to include password brute forcing functionality.
Here is the syntax breakdown:
wpscan: launches the app
—url: specifies the full URL that you want to scan (don't forget the ‘http’)
-t: the number of simultaneous threads to use, I chose 50 in this case
-U: the username to use (good thing we enumerated that earlier, eh?)
-P: the password file to use
It took less than a minute to crack but would have taken longer had we not trimmed the duplicates out of the password file.
We get a 9 digit password : *********
Using Elliot:********* to login:
The site is running WordPress 4.3.1.
Now we need to open a reverse shell, so let’s try to open a php-reverse-shell . Kali and ParrotOS already have it. All you have to do is locate it.
Opening a reverse-shell
In wp-admin, go to the left navigation bar and select Appearance → Editor and then select Archives (archive.php) on the right
Once, Archives are open. Paste the php-reverse-shell.php in the Edit section
Now we will have to edit the value of variable IP . We will have to set it to our IP, so that when the reverse shell is opened, it knows which IP to connect to.
Click Update and let’s open netcat to listen to the port 8888.
Now let’s open archive.php. Check what theme it’s running and open the theme as shown below.
We now have a raw shell on the target server.
Raw shells are gross and we want to get out of them ASAP so we use python to switch into a proper terminal.
A lot of Linux systems are configured to display the current working directory at the terminal prompt and based on ours we can see that we are in the ‘/’ root directory. Not to be confused with the /root directory which is the home directory for the root user.
If we peek into /home we can see there is a local user account called ‘robot’. If we peek further we can see two files in that user’s home directory with one of them being the next flag. Unfortunately it seems that only the user ‘robot’ has permissions to read that file.
The second file is interesting not only because it’s called ‘password’ but also appears to be world-readable. If we take the filename at face value it looks like it is an md5 hash of the user’s password
Now you can decrypt this hash with any online hash cracker
Now that we have the password we can su to the robot user and grab the next flag.
Key 2: Captured!
What is key 3?
Our last key is very likely in the /root directory, and we will need a privilege escalation to access it.
Now to capture the 3rd flag, we need to get to root, so we will perform privilege escalation, so we need to figure out which programs have SUID of at least 4000
Privilege escalation using Nmap
Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques does not work if you don’t run it with root privilege.
However, there is a functionality in Nmap older versions where you can run Nmap in an interactive mode which allows you to escape to shell. If Nmap has SUID bit set, it will run with root privilege and we can get access to ‘root’ shell through its interactive mode.
Key 3: Captured!