Mr Robot CTF
Based on the Mr. Robot show, can you root this box?
Nmap Scan
$ nmap -A -T4 -p- 10.10.112.2
We see that we have 2 ports open. Port 80 and 443. Let's open up our browser and navigate to the site.
We have some sort of Linux shell with a narrative, as well as some commands we can run. Let''s try them one by one.
The prepare command shows us a video narrative.
The fsociety command also displays a video narrative asking us if we are ready to join fsociety.
The inform command displays a gallery of photos which fsociety criticizes (See below). The photos are located at /inform.
The same applies for the question command. Photos are located at /question.
The wakeup command also displays a video narrative located at /wakeup.
The join command (/join) displays the text below.
Let's see where the rabbit hole takes us.
I provided a temporary email address, but nothing happened. I was just de-directed back to the main page.
Let's use gobuster to see if we can enumerate hidden directories and files.
$ gobuster dir -u http://robot.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Hmm, curioser and curioser. We can infer it's a wordpress site as indicated by the /wp-login and /wp-login.php gobuster results.
Let's browse to the highlighted interesting pages we have discovered containing a 200 status code.
Both /wp-login and wp-login.php reveal a login form
Looking at my wappalyzer results reveals that it's wordpress version 4.3.1
Forcing a 404 error also reveals the following:
Does that user's blog reveal something?
Let me run wpscan to see what I come out with.
$ wpscan --url http://robot.local
From our wpscan results, I see a robots.txt file (I should have found this earlier through enumerating the site itself). Let's navigate to it.
We get our first key and a dictionary file. After downloading the file, I see that it contains a list of passwords. Perhaps? Not so sure.
We can attempt a brute-force attack against the login page with the username user and the contents of the dictionary file.
Before I do that, I will use wpscan to enumerate users.
$ wpscan --url http://robot.local -e u
Be that as it may, since the site reveals it's user's blog, we will use that as our username in the brute-force attack.
I use wpscan to perform the password brute-force attack.
$ wpscan --url http://robot.local/wp-login.php -U users.txt -P fsocity.dic
However, it takes long and I decide to cancel it. On the login form, I notice a password reset link which when clicked takes me to a page to input my username or email so that I may receive the pwd reset token. When I input the username user, I get an error message informing me that that;s an invalid username or email. So my pwd brute-force attack was doomed from the beginning :D
So perhaps that dictionary file was a list of usernames instead of passwords.
Since it's a Mr. Robot themed box, I will input the username elliot (main character in the show) and see what happens (I know, I know, it's cheating a bit).
I get an errror message but it does confirm for us that elliot may be a user on the website. Perhaps now I can attempt that password brute-force attack again with this new username.
To remove duplicates, I will first sort the fsocity.dic file.
THis immediately shortened the file from over 850k entries to approximately 12k entries.
I'll use hydra this time.
$ hydra -l elliot -P fsocity.dic http://robot.localhttp-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30
After a while, we discover that the password is: ER28-0652
Aaand we are in.
At this point I'll just go through the application to see if I can discover more stuff.
Navigating to the users' tab, I come across another user with a funny description.
Maybe they have a key associated with them. Scrolling down, I updated their password then logged in with their credentials to see what I can uncover. However, nothing interesting comes up and I log back in as Elliot.
I see an "Editor" button which would allow me to edit some php files e.g. the 404 error and archives.php page.
We will replace its content with a php reverse-shell payload from Pentest Monkey making sure to edit the port and ip fields with our values.
I will then set up a listener using netcat and specify the same port number I used in the reverse-shell code.
Let's now navigate to the archive.php file in order to execute it. It's located at /wp-content/themes/twentyfifteen/archive.php.
Aaannnddd success.
Navigating to /home/robot reveals the 2nd key. However, we cannot access it. We need a way to escalate our privileges. I wonder if that password.raw-md5 file can help.
I will use john to crack the md5 hash.
John cracks the md5 hash successfully.
Let's now login as robot and try to access that key.
We need to upgrade our shell to become interactive because the su command cannot be run from a non-interactive shell.
$ python -c 'import pty;pty.spawn("/bin/bash")'
Let's now go retrieve the 2nd flag.
Let's now go retrieve the root flag. We may need to escalate our privileges to that of root user.
We will escalate our privileges to that of root by exploiting the SUID binaries. First, let's run the command below:
find / -perm +6000 2>/dev/null | grep '/bin/'
We will refer to GTFOBins on how we can bypass local security restrictions in misconfigured systems.
Let's now elevate our privileges.
And we are done :D
Lessons Learnt
Always try to remove duplicates from usernames/passwords list. They can dramatically reduce the size of the list and speed up the bruteforce attack.
Enumeration is key (The login form had username enumeration. I didn't remember about the /robots.txt earlier).
Learn Linux privesc
Last updated
Was this helpful?