Hello friend. The Mr Robot CTF was a spectacular medium difficulty room on Tryhackme, however it was very much intended for beginners. the room offered an intriguing Mr Robot themed machine and required a very basic knowledge of hacking. It made good on common web vulnerabilities and really made for a bad ass experience. But i wasn't alone in doing this room, a friend of mine, kr1ppl3r, also played a role. No more talking, let's start pwning!
Upon entering the room we are greeted with task one. It is just the standard, "boot up or shut up" guide to getting connected using OpenVPN, so of course, I will not go over it. You can simply connect and mark all of task one as complete, however task two, is where stuff gets real.
Keys? Well, let's deploy the machine and get right into the swing of things with an nmap scan.
It looks like our scope has been narrowed down to a webserver as port 22 is closed. Taking a look at the webserver we are presented with what seemed to be a PHP shell, this is when Kr1pp3r let out a chuckle. Furthermore, it is not an actual shell. It is a fake terminal that only takes 1 of 6 custom commands. The shell is here simply for atheistic and that authentic Mr Robot feel.
Further enumeration with gobuster reveals additional info.
From these results we can gather more information on the site. From the /wp-login and /wp-content directories, we know this is a Wordpress site and can enumerate further. We can find the version in the source of the /wp-login page. It is 4.3.1.
Before we continue any further, since this is a Mr Robot ctf, we took a look the robots.txt file for any disallowed entries.
Easy! We already got our first key! You can go ahead and submit it, however it seems we also have another interesting disallowed entry, let's take a look at it.
It's a wordlist. Kr1ppl3r and I began to debate what the wordlist was for, but based on some entries, such as 'AdminDashboard' we initially thought it was meant for dirbusting. So dirbusting we went!
Ok, so you see what's wrong here, right? If you don't, take a look at the, "Time To Finish" section above the back button. Sorry Mr Robot, I don't have 145 days to wait. After a ton of fumbling around, I was able to find the root of this problem on accident, when grepping for the word, 'SQL'.
Hundreds of duplicates were present in the wordlist. We could fix this by simply running the following command.
As you can see, the problem is remediated. However, we realized that this wordlist was not meant for dirbusting. We shifted our attention to the Wordpress login page we found earlier with gobuster. There is information disclosure present in the Wordpress login page. If a person logs in with an incorrect password, but the user exists, Wordpress will return an error stating that this user's password is incorrect. This confirms the existence of said user. Let's try it out on Elliot, the main character of the show, Mr Robot.
This allows us to confirm that, 'elliot' is a valid username. We can now use our new, sorted wordlist to bruteforce the password for the user, Elliot. I did this using BurpSuite, but Kr1ppl3r did this using Hydra. As Kr1ppl3r said, using the community edition of Burp will take longer than Hydra. So if speed is your thing, go duck on that. If you are unfamiliar with using Hydra for HTTP(S), visit this awesome resource by RedTeamTutorials: https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/
Here I am using Burp Intruder and filtering out code 200 responses. Assuming that if I login correctly, I will get a 300 response and be redirected to the Wordpress dashboard. Again if you are unfamiliar with BurpSuite or Hydra, I recommend you get on that, as they are very important tools. Furthermore, Burp is impractical to use in this case, as it will be very slow. I'll switch to Hydra instead. You can configure your Hydra command as needed with the RedTeamTutorials resource I provided above.
Awesome! We can now login as elliot with the password, "ER28-0652". Lets do just that.
When googling for wordpress 4.3.1 exploits a lot of stuff comes up. Additionally, it seems that we are allowed to modify the php of web-pages using appearance > editor, let's try it out!
We can! By abusing this, we can upload a php reverse shell onto the 404.php page and gain access to the webserver! lets do that using pentest monkey's php reverse shell.
Before I upload the malicious file, I need to first configure it to connect back to me, to do this, I change the local IP address to that of the VPN tunnel and the port to the standard 4444.
Now I start a listener on the same port.
I can now paste the malicious payload to a PHP reliant web-page of my choice. Here I am just using the 404 page, since it will be easiest to access.
Now I can just update the file and access the web-page to execute the payload.
I now have a shell on my netcat listener. The user has been owned!
It seems there is another user on this system, I'll let myself into their home directory and see if there is anything interesting.
Another key! Awesome, at this point, Kr1ppl3r is taking a break, but had mentioned before that he found nmap had an SUID bit set. We can confirm this using, the command,
Before I dig further into that though, I take a look at the other file inside robot's home.
It seems to be robot's credentials. The password can be easily cracked using https://md5hashing.net/hash.
Robot's password is just the alphabet, I can now switch users, and use nmap to gain a privileged shell. But before I can do that, I need to spawn a tty shell. This can be done with python.
Now login as robot, use nmap to gain a root shell and profit with the final key.
Nice try Mr Robot, but we own you.