Mr. Robot

Introduction

Welcome back! This is my write up for the Mr.Robot CTF from TryHackMe (https://tryhackme.com/room/mrrobot). The objective of this room was to find the 3 hidden keys on the machine.

Disclaimer: You will see two different Target IP.

Scanning

To get things started I ran Nmap against all the ports on the target machine. The scan revealed that ports 80(HTTP) and 443(HTTPS) were open on the machine.

Enumeration

Since both the open ports are web services I began my enumeration with gobuster on both ports. The output for port 80 was vast while port 443 none. I outlined the most interesting of the directories on port 80.

Gobuster Port 80

Navigating to the /robots directory I obtain the first of the three keys and a word list. Navigate to http://<TGT IP>/key-1-of-3.txt to reveal the key. Then download the word list from /fscoity.dic.

/robots

Enumerating the /feed/rdf directory revealed the version of wordpress being used. This might be useful later when looking for an exploit.

/feed/rdf

Navigating to /wp-login I encountered a login page for a wordpress site. At this point I still have not ascertained any credentials that would grant us access.

/wp-login

Brute Force

Using the word list downloaded earlier and Hydra I was able to find a username and password for a user.

Hydra Username brute force

Hydra Password brute force

Gaining Shell

Now that we have a username and password we are able to log-in. We are greeted with an dashboard. When I see an admin dashboard like this I’m looking for somewhere I can upload a file. Check every tap and found something that suited my needs in the Appearance → Editor → 404 template section.

This looks like a nice place to put a php reverse shell. Lets edit the PHP reverse shell from https://pentestmoneky.net . Delete the current data in 404 template, paste in your PHP shell, and save the changes. Set up a netcat listener. Then I navigated to a random directory on the target to trigger the 404 page not found template. I got a shell.

Shell access

Exploring the targets file system I see that their is a user named robot. In the robots home directory there are two files key-2-of-3.txt and password.raw-md5. As the current user daemon I do not have permissions to read the key 2. I am however able to read the password.raw-md5 which reveals the password for user robot.

After cracking the hash I logged into user robot account where I was able to get the second key.

PrivEsc

Now that we are logged in a user robot. I started a python server on my attacker machine and uploaded LinEnum on the target machine.

Uploading LinEnum

After review of the vast output for LinEnum I found the SUID section to be particularly interesting. Specifically the /usr/local/bin/nmap option.

LinEnum SUID output

Using nmap with the — interactive option I got an nmap prompt. I then called a shell using !sh. Since nmap runs as root the shell spawned by nmap also has root permissions.

Root Shell

The last key can be found in the home directory of root.