Mr Robot CTF

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Mr. Robot CTF - TryHackMe Room

What is key 1?

First of all, start with a port scan: sudo nmap -sV 10.10.157.176

• Open ports

  PORT    STATE  SERVICE  VERSION
  22/tcp  closed ssh
  80/tcp  open   http     Apache httpd
  443/tcp open   ssl/http Apache httpd
  

Use gobuster for folder/file enumeration: gobuster dir -u https://10.10.157.176 -k -w /usr/share/wordlists/dirb/big.txt

In the following path https://10.10.157.176/robots.txt we found this text:

User-agent: *
fsocity.dic
key-1-of-3.txt

Download https://10.10.157.176/fsocity.dic file. And the first key is in https://10.10.157.176/key-1-of-3.txt.

What is key 2?

Surfing to the website we find a login page: https://10.10.157.176/wp-login.php. At the beginning of fsocity.dic there are some potentially usernames (mrrobot, Robot, Elliot). I tried Elliot in the fogot password page https://10.10.157.176/wp-login.php?action=lostpassword and I received confirm of the correct username.

Use wpscan to perform a dictionary attack on login page.

wpscan --disable-tls-checks --url https://10.10.157.176/wp-login.php -U Elliot -P /home/yami/Desktop/thm/fsocity.dic

It will take a long time to find the correct password, because it is at the end of the wordlist of more than 800000 words. Password is ER28–0652.

Now we have credentials to enter in the wordpress management page.

We are admin so we can upload a reverse shell inside Appearance –> Editor –> 404.php.

On local machine use nc -nvlp 9000 and execute via browser https://ip-address/wp-content/themes/twentyfifteen/404.php.

When we will be inside, we’ll land such as daemon user.

There is a chance to make the present shell more stable by using Python’s Pty module:

Go to /home/robot/.

We have to crack md5 hash to find robot’s password. Use John The Ripper.

Now we have user password to catch the second key.

What is key 3?

Now we have to perform privilege escalation. We have to find some vulnerabilities in the kernel or in some files.

For privilege escalation we can use either LinPEAS or LinEnum tools which will identify potential vectors for PE in the target server. In order to scan the system, we’ll need to transfer one of the scripts to the victim machine. For this purpose we can use SimpleHTTPServer Python module.

But we also can run the following command which searches for all files having SUID bit set: find / -perm -u=s -type f 2>/dev/null

TryHackMe hint suggested nmap. It is version 3.81 and it has an interactive mode in which nmap runs with “sudo” privileges. (https://vk9-sec.com/nmap-privilege-escalation/).

We can find third key under /root.

References:

• https://infosecwriteups.com/tryhackme-mr-robot-machine-c33476f12c48
• https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
• https://crackstation.net/
• https://vk9-sec.com/nmap-privilege-escalation/