Hello, Friend (Mr. Robot CTF)

Last week, I decided to do a web security-related CTF to somehow polish my (rusty) penetration testing skills. After days of trying to find a good VM for practice, my senior recommended this Mr. Robot Virtual Machine c/o Vulnhub. I thought it was perfect because:

1. I love Mr. Robot (the series) and I recommend it to every person I cross paths with, and

2. The story revolves around Elliot— computer security professional by day, Internet activist (see: hacktivist) by night.

Let’s do it!

Walkthrough:

First, we’re given a copy of the virtual machine in .ova format with the following description:

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

However, before booting it up, make sure you configure your VM to automatically get an IP address via DHCP.

Once you figure out the VM’s IP address, you’re given this view:

Let’s try an nmap scan:

$ nmap -sV x.x.x.x 

(where x.x.x.x is the IP address of your Mr. Robot VM.)

It displays the following:

So, now we know that a web service is up on its IP, we can look at it on our web browser:

Executing the commands above (except join) will give you webms related to fsociety. You can also view them at whoismrrobot.com.

Executing join won’t give you anything, too. Now what?

Let’s use Nikto. Nikto is an awesome Vulnerability Analysis tool that searches for vulnerabilities on a web service.

Executing:

$ nikto -host x.x.x.x

will give us the following output:

Interesting… Nikto suggests that we look at /robots.txt first.

A robots.txt is a website’s way of telling the web robots (crawlers) about which parts of the website should be excluded from their scans. Because of this, it is not recommended to use the robots.txt to hide information. See more at this site.

The robots.txt contains the following:

User-agent: *
fsocity.dic
key-1-of-3.txt

Oh hey, a key! And a dictionary…?

Now, we know that the web service is a Wordpress site, and we’re already given a dictionary… So let’s crack stuff up then!

Let’s clean the dictionary that we have first:

$ sort -u fsocity.dic > fsociety.lst

We’re gonna use wpscan:

$ wpscan --url x.x.x.x --wordlist fsociety.lst --username Elliot

I used Elliot as the username because he is the main character and because he [SPOILER]

After running wpscan, we’ll see the following output:

And here, we can see that we are granted Administrator privileges when we use Elliot’s account:

Since we have admin access on the Wordpress site, we can replace pages with anything we like.

I grabbed a php reverse shell code from pentestmonkey.com and replaced the 404.php page with it.

Of course, we need to edit the code we downloaded from pentestmonkey to make it phone home:

Let’s execute this command to catch the reverse shell:

$ nc -nlvp 1234

nc = netcat
-n = do not do DNS lookups
-l = listen
-v = verbose
-p = source port (your port)

When you access /404.php, you’ll get a shell!

Once we’re inside, let’s check out the /home directory:

Display the contents of /home/robot:

We found key 2!

We also found the password hash of robot:

After cracking the password using hashcat, we can now su:

ASDFASKDNFASLFASDFKAJSDF. No matter, we’ll do some Python magic then. I just hope it works

Let’s check the contents of the /root directory:

Didn’t work, as expected.

Let’s look for programs that have their setuids/setgids set:

find / -perm /6000 -exec ls -ldb {} \; > /tmp/suids.txt

Upon further inspection of the resulting text file, I saw this:

Let’s do some (deprecated) nmap magic then:

Traverse to the /root folder:

And we’re done!

“The world is a dangerous place, Elliot, not because of those who do evil, but because of those who look on and do nothing.” — Mr. Robot