TryHackMe — Mr. Robot WalkThrough

Image for post
Image for post
Source — Kaspersky

This is a practical walkthrough of “Mr. Robot CTF” from TryHackMe. This room is credited to Leon Johnson for creating this machine. This room is aimed at undertaking initial enumeration, exploitation and privilege escalation.

Enumeration

We kick off this room with enumerating the IP address provided to us with Nmap.

Image for post
Image for post
Nmap Result

We have two open ports which belongs to web service. We can further enumerate with version and script scan, but unfortunately no fruitful results would we get.

If we visit the HTTP service which is running on the target machine, then we’d get below result. We can interact with by type the options, but I didn't get any information out of any option.

Image for post
Image for post
HTTP

Let’s run a GoBuster to find any directories on that HTTP.

I am running it with common wordlist and 50 threads at a time.

Image for post
Image for post
GoBuster

We get a lot of directory names, some are redirecting and some are forbidden to access.

Image for post
Image for post
GoBuster Result

By looking at the result, we can say that the target HTTp server might be using WordPress.

I am more intrigued in login and robots.txt directories. Let’s visit robots.txt

Image for post
Image for post
Robots.txt

Alright, I think we got our first key of 3 keys and a .dic (wordlist) file. Let’s view the key using curl command.

Image for post
Image for post
Key 1 of 3

Let’s download the fsocity.dic file and save it on our local machine.

Image for post
Image for post
fsocity.dic
Image for post
Image for post
fsocity File Size

The file size is 7 MB, it must be a huge list. If we use WC command, then we can able to get the number of words.

Image for post
Image for post
wc result

It’s a huge list and if you go through the list then you’d see that there are duplicate words. We need to sort them for unique words only not repeated.

Image for post
Image for post
Sort Unique Words
Image for post
Image for post
wc unique result

As you can see from previous result, 98% of original file was repeated words. Now we have unique word list, which we can possibly use in next enumeration.

Now, let’s visit the /wp-login and find out whether it’s wordpress site or something else.

Image for post
Image for post
Login

As you can see, it is an indeed a WordPress Site. Let’s run WPscan tool to find more about WordPress.

Image for post
Image for post
WPScan

From the result, below is the version Information

Image for post
Image for post
WPScan Result — Version

Out-dated theme is running on WordPress.

Image for post
Image for post
WPScan Result — Theme

No users were found on WordPress

Image for post
Image for post
WPScan Result — No Users

So, basically there’s no much Information we got other than out-dated WordPress Theme. To break into WordPress we need valid credentials.

Let’s find valid username by performing wordlist attack on login page. We can do this using Hydra tool. But first we need to capture the login request from BurpSuite tool.

Image for post
Image for post
Burp Request

Now we use the captured request to enumerate the username using recently dowloaded and sorted wordlist.

Image for post
Image for post
Hydra Username Enumeration
Image for post
Image for post
Hydra Result

We got the username, now we need to crack the password using Hydra.

Image for post
Image for post
Hydra Password Enumeration

Fot this attack, we use previously enumerated username and provide the same wordlist to find the valid password.

Image for post
Image for post
Hydra Result

Now we have the password. Let’s login using those credentials and access the outdated theme editor. Now we can upload our php shell to target and get a reverse shell.

From the following location, edit the file to your IP address (kali linux) and port address.

Image for post
Image for post
Edit PHP File

Once you change IP and Port address, copy the all the content of .php file and paste it in word press theme editor “404 Template'.

Image for post
Image for post
Shell Upload

Once you update, then setup a netcat listener on your machine.

Image for post
Image for post
netcat listener

Then run the shell by visiting the below link.

Image for post
Image for post
Shell Link
Image for post
Image for post
Shell

We got the reverse shell. Now we need to get interactive shell.

Image for post
Image for post
Interactive Shell

Now we run some commands to find our key, but unfortunately it’s not accessible to us. However, we got a password hash of the “Robot” user.

Image for post
Image for post
Password Hash

Let’s save it in file and crack it with HashCat Tool.

Image for post
Image for post
HashCat
Image for post
Image for post
HashCat Result

We got the password of robot user, let’s login and extract the key2.

Image for post
Image for post
Login
Image for post
Image for post
Key 2 of 3

Now we need to collect the last key. For that probably we need to escalate privileges of current user to root. We can start with finding SUID permissions of files.

Image for post
Image for post
SUID Files

Out of all the executables, there’s one that shouldn't be there. It’s nmap. If we check the version, then it’s outdated.

Image for post
Image for post
Nmap Version

From GTFOBins, I got the trick to escalate the privileges using nmap.

Image for post
Image for post
Nmap — GTFOBins
Image for post
Image for post
Key 3 of 3

Now we have collected all the three key from target machine.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store