Vulnhub-Mr.Robo

I know its been a while since I last posted but I’ve been super busy with work, uni and life in general. Now that everything has settled down (for the moment) its time to get back posting on a regular basis. This post, as the title suggest, is a walk through for the Mr.Robot CTF created by the user Jason.  I didn’t find this challenge to difficult, but did need some help at certain points. Enough rambling lets get started.

For this CTF there are 3 flags to capture, with each one increasing in difficulty. First of lets scan the vm with nmap. (nmap <ip-address> -p- -sSVC -A)

As you can see, port 80 and 443 are open, meaning theirs a website being hosted. Navigating to it reveals that its just the promotional site used for the show Mr.Robot. After going through the site and getting nothing out of it, I decided to scan it using nikto. (nikto -host <ip address>)

Hey whats this, robots.txt, lets take a look.

JACKPOT!!

Found key 1: 073403c8a58a1f80d943455fb30724b9.

Looking into fsocity.dic, looks like a dictionary file used for brute forcing login pages. Looking closely at the nikto output, the wordpress login page is found. Knowing that this vm is based on the show, I started manually typing in character names as usernames. Lo and behold, username elliot works (that saved me some time brute forcing the username).

Now that we have a username, I used wpscan to brute force the login page with the dictionary file we got earlier. (wpscan –url <ip address> –username elliot –wordlist fsocity.dic). This attack will take some time, so you might want to do something else while you wait. After wpscan is done, it should spit out the password ER28-0652 (FYI is elliots’ badge number at all safe).

After logging in to the site and poking around, I found nothing of use, this is where I got stuck so I ended up using Snooze Security video to get to the next step (he also had some great links in the description that I used later on). Basically he used pentest monkey reverse shell to get into the system, but make sure you add the following to the top of the php file, edit it with your machines ip address and what port you want to use, zip it and upload it through the wordpress plugin section:

/*
Plugin Name: reverse shell
Plugin URI: https://google.com
Description: reverse shell
Version: 1
Author: reverse shell
Author URI: https://google.com
Text Domain: reverse
Domain Path: /shell
*/

source for the above http://pastebin.com/GMwhCDtm, credit goes to Snooze Security.

Now that the file is uploaded don’t click activate just yet, you need to set up netcat to listen for incoming traffic on the port you specified in the file with the following command nc -vlp <port number>.

Once setup, hit activate and netcat should have been triggered and you now have a reverse shell. If for what ever reason netcat looses the connection, just run the command again and and refresh the web page.

After again snooping around the system I came across the robot directory with key-2-of-3.txt and password.raw-md5. Using cat on the key gave me permission denied but not on the password file.

Copying that hash and pasting it into google, the first link gave me abcdefghijklmnopqrstuvwxyz as the password.

Sweet now that I have the password, lets switch to user robot.

Nope, not going to be that easy.

After researching how to spawn a terminal from a shell, pentest monkey came to the rescue again. Spawning a terminal with the python command python -c “import pty;pty.spawn(‘/bin/sh’);”.

Now we switch user, enter the password (also change the password to something easier to type) and boom we are now user robot. Cat the key file and we are almost done.

Key 2: 822c73956184f694993bede3eb39f959.

Now on to key 3. Using the find command gave me nothing so I now have to manually search through the directories to find key 3. Did so until I ran into the root folder which did not let me in. So now I have to escalate my privileges to root to gain access into the directory.  After trying a bunch of the commands from Reboot user, I came across one that worked, nmap –interactive, which you can read more about here. From what I understand it’s an interactive shell where you can pass nmap commands into.

After launching the interactive command, enter h and it will give you the help screen. ! gives the user the ability to pass shell commands, so why not just launch a shell with !sh. With  that we are now root. cd into the root directory and cat the final key.

key 3: 04787ddef27c3dee1ee161b21670b4e4.

That’s it for this vm. It was so much fun doing this and taught a lot new tricks that I’ll use in other CTFs.

Until next time, stay classy internet.