TryHackMe — Mr Robot CTF | Write-Up
Hello InfoSec people, here is the write-up for the room Mr Robot on TryHackMe platform.
The room itself doesn’t give us any information about the machine. The only thing that we know before powering up the machine is that there are 3 keys hidden inside it. Let's get started.
[Task] Get the 3 keys hidden inside the machine
FINDING THE 1ST KEY
Firstly, i connected to the VPN and power on the Mr. Robot Machine.
I know nothing about the machine, therefore i’ve run nmap to find open ports, services running and OS
nmap -A -sC -sV <TARGET IP>
i got these results:
22/tcp closed ssh reset ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd
The machine has HTTP port open, meaning there is a website running.
I’ve used dirb to find any interesting directories or files that might be useful.
dirb http://<TARGET IP> /usr/share/wordlists/dirb/common.txt
while i left dirb running, i tried to access a random directory in the website:
e.g. http://<TARGET IP>/robot
this lead me to the site below, which is a WordPress site.
I used the log in link from the WordPress site and lead me to the WordPress login page: wp-login.php
Then, i started enumerating the site using WPScan.
wpscan -url<TARGET IP>
during the scan, i’ve found the robots.txt file:
Inside the robots.txt file there is a dictionary and the 1st key.
FINDING THE 2ND KEY
I’ve booted up Burp suite to initiate a dictionary attack at the login page in order to find any usernames.
I’ve inserted random credentials in order to capture the login request.
i’ve send the request to Intruder and added a payload marker on the username.
Loaded the dictionary we found earlier to the payload options and started the attack.
From the results, the username “Elliot” has a different length than the other, which means we can use it to login into the page.
To find the password of the user, i used Hydra and the dictionary i’ve found before.
hydra -l Elliot -P fsocity.dic <TARGET IP> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username” -t 30
What that hydra command does is, it uses the username “Elliot” and each line from the dictionary as a password. Then, if the response from the page is “the password you entered for the username” then it discards that password.
After some time passes, hydra gives you the right password for the username “Elliot”.
i had admin privilages on the wordpress management site. Then, i went to theme > edit and chose a page to insert my reverse shell in order to connect to the server.
I used the 404.php page and replaced the php code with this reverse shell:
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Then i opened a port on my machine
nc -lvnp 4444
and modified the reverse shell to send the shell to my machine.
After accessing the 404.php page i got a shell connection, running whoami returned with “daemon”. Then proceeded to change directories:
cd /home/robot/
In the robot directory there were 2 files “Key-2-of-3” and “password.raw-md5”. With my current user lever, iwas able to read only the “password.raw-md5” file.
It contained an MD5 hash of the user’s robot password. Using john the ripper i cracked the hash.
john — wordlist=fsocity.dic — format=RAW-MD5 md5.hash
escalating privileges:
su robot →typed the password
and i’ve had access to the 2nd key.
FINDING THE 3RD KEY
For the 3rd key i had to privilege escalate to root user.
I’ve run this script to find any misconfigured binaries that can give us root access
find / -perm +6000 2>/dev/null | grep’/bin/’
using this command i’ve found an NMAP binary that can give us root access on the system.
Using this website we can find exploitable binaries
Using the commands below, gave me root access and was able to find the 3rd Key in the /root directory.
nmap --interactive
nmap> !shWith the final key i was able to complete the Mr. Robot room.
Thank you for reading.
