TryHackMe: Mr Robot CTF Writeup
Mr Robot is a CTF type challenge box on tryhackme. It is an open ended challenge without instructions so we have to figure it out on our own.
To access the box click on the following link and join room.
Check connection
Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.
Scanning
Let’s start with a nmap scan. Use following command to scan the target IP address.
nmap -A -T4 10.10.233.189nmapinvokes Nmap, a versatile network scanning tool used for network discovery and security auditing.-Aflag enables OS detection, version detection, script scanning, and traceroute. It's a combination that attempts to identify the operating system and service versions running on the target, runs scripts against target services to find potential vulnerabilities, and maps out the path packets take to the target.-T4accelerates the scan speed by reducing the time Nmap waits for responses, which can be useful for scanning targets in a faster manner but with a slightly increased risk of missing some information or overwhelming the network.10.10.233.189is the target IP address for the scan.
The scan results shows that port 22, port 80 and port 443 are open. http service is running on port 80 so let’s visit our target ip on port 80 in web browser.
It’s just a good looking webpage, nothing special here. So let’s move forward by starting directory busting on the target IP.
Directory Busting
We can start directory busting with ffuf using the following command
ffuf -w /home/ubuntu/Downloads/secLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.233.189/FUZZThe above command will help us in discovering hidden or unlinked directories and files on the web server.
ffufinvokes the ffuf tool.-w /home/ubuntu/Downloads/secLists/Discovery/Web-Content/directory-list-2.3-small.txtspecifies the wordlist to use for fuzzing. The path points to thedirectory-list-2.3-small.txtfile, which contains a list of common directory names that ffuf will attempt to find on the target web server.-u http://10.10.233.189/FUZZspecifies the URL to be fuzzed. TheFUZZkeyword is a placeholder that ffuf will replace with each entry from the wordlist during the fuzzing process.
FFuF discovered many directories which might be useful so let’s start checking them.
Capturing Key-1
We found a very common /robots directory on out target. The robots file is a standard used by websites to communicate with web crawlers and other web robots. It tells these bots which areas of the site should not be processed or scanned. So, let’s go to the /robots path and check what we have there.
Boom!! We found our first key path and a dictionary file. Let’s go to the dictionary path and download that dictionary.
Now, that we have our dictionary we can simply go to the path of key file and get our first key.
License directory
We also found a directory named license so, let’s move to that path and check what we have there.
We just have a simple question on that path. But when I scrolled down to the end of page I found something interesting.
We found a hash at the end of /license directory. Let’s go to hash analyzer and identify the hash type.
Hash analyzer result showed that the hash is base64. A Base64 string is a string of characters that represents binary data in an ASCII format by converting it into a sequence of printable characters.
Let’s crack this hash by using a simple bash command.
echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d
On cracking the hash we got a username and password.
Login Attempt
The scan results also revealed a /wp-login page. Let’s go to the path and check what we have there.
We got a wordpress admin page. Let’s login with the username and password we got from cracking the hash. elliot:ER28-0652
We successfully logged in to the admin panel of wordpress.
On the left hand side we can see a menu panel. Click on Appearance and then go to editor.
Reverse Shell attack
In the editor section, we can see different php scripts are present. So, Let’s open one of these scripts and change that to get a reverse shell.
On clicking author-bio.php we can see that the php script is opened in the editor and we can change it.
Let’s remove this script from editor and paste a reverse shell script here to get a reverse shell. You can get the php script from the following link.
If you are using the same script which i used then don’t forget to change the ip address and port in the script.
I have changed the IP address and port according to my attack machine as shown in the image below:
Now, Let’s start listener in the terminal by using command nc -lvnp 1234Now, that we are all set to get a reverse shell, Let’s execute our modified code by changing the url as:
http://10.10.14.85//wp-content/themes/twentyfifteen/author-bio.php
As soon as the url is opened in the browser we get a reverse shell on our terminal.
Let’s check what user we are logged in as, by using command whoami.
So, we are logged in as daemon. To check what other users are present we can check the contents of the /home directory by using command ls /home.
We can see there is another user named robot. Let’s migrate to its home directory and list file there. We can change directory by using command cd /home/robot and then list files with ls.
We can see that there are two file. We have our desired key-2-of-3.txt.
Let’s use command ls -la to check permissions of these files.
On checking permissions we can see that only robot can read key-2-of-3.txt. But we can read the password.raw-md5 file. So, let’s read the content by using cat command.
Cooool!! We got the password hash of robot. Let’s try to crack it online by using the following tool.
Copy the hash of robot and paste it on the given url and click on Crack Hashes.
We have successfully cracked the hash of robot. So, we can switch user to robot but before that we need to make our shell interactive and we can do this by using the following python command:
python3 -c 'import pty; pty.spawn("/bin/bash")' 
Switching user
Now, we can switch to user robot by using command su robot and putting the password we got from cracking hash.
Now, let’s capture our key-2-of-3.txt by using command cat key-2-of-3.txt
Privilege escalation
Now, to Escalate our privileges we can search the entire filesystem for files with either the setuid or setgid permission bit set and filter those results to only show files located in directories that contain /bin/ in their path.
We can do this by using the following command
find / -perm +6000 2>/dev/null | grep '/bin/'When the setuid permission is set on an executable file, users executing the file get the permissions of the file owner, and similarly, setgid affects group permissions.
We got our list of files with setuid permission bit set and on checking the list we can notice that nmap also has setuid permission.
Let’s go to GTFOBins and search for nmap and click on sudo in options.
So GTFOBins has the commands that we can use to escalate our privileges.
So the commands we found opens nmap in interactive mode and then it allows us to execute shell commands. We will modify the command by adding path of nmap
/usr/local/bin/nmap --interactiveThe above command opens nmap in interactive mode and then we can get shell with euid of root by using command !sh. We can also verify it by using command id.
Now that, we have escalated our privileges let’s list the contents of /root directory and we have our final key-3-of-3.txt.
Let’s capture the key by using cat command with absolute path of the text file.
cat /root/key-3-of-3.txt
Copy and paste your flags on tryhackme.
CONGRATULATIONS!!! The room is completed!
This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊
