TryHackMe — Mr. Robot WalkThrough

Source — Kaspersky

This is a practical walkthrough of “Mr. Robot CTF” from TryHackMe. This room is credited to Leon Johnson for creating this machine. This room is aimed at undertaking initial enumeration, exploitation and privilege escalation.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

There are 3 key to collect to complete this room

Enumeration

We kick off this room with enumerating the IP address provided to us with Nmap.

Nmap Result

We have two open ports which belongs to web service. We can further enumerate with version and script scan, but unfortunately no fruitful results would we get.

If we visit the HTTP service which is running on the target machine, then we’d get below result. We can interact with by type the options, but I didn't get any information out of any option.

HTTP

Let’s run a GoBuster to find any directories on that HTTP.

Gobuster is a tool used to brute-force URIs, DNS, Vhosts and S3 buckets

I am running it with common wordlist and 50 threads at a time.

GoBuster

We get a lot of directory names, some are redirecting and some are forbidden to access.

GoBuster Result

By looking at the result, we can say that the target HTTp server might be using WordPress.

I am more intrigued in login and robots.txt directories. Let’s visit robots.txt

Robots.txt

Alright, I think we got our first key of 3 keys and a .dic (wordlist) file. Let’s view the key using curl command.

Key 1 of 3

Let’s download the fsocity.dic file and save it on our local machine.

fsocity.dic
fsocity File Size

The file size is 7 MB, it must be a huge list. If we use WC command, then we can able to get the number of words.

wc result

It’s a huge list and if you go through the list then you’d see that there are duplicate words. We need to sort them for unique words only not repeated.

Sort Unique Words
wc unique result

As you can see from previous result, 98% of original file was repeated words. Now we have unique word list, which we can possibly use in next enumeration.

Now, let’s visit the /wp-login and find out whether it’s wordpress site or something else.

Login

As you can see, it is an indeed a WordPress Site. Let’s run WPscan tool to find more about WordPress.

WPScan

From the result, below is the version Information

WPScan Result — Version

Out-dated theme is running on WordPress.

WPScan Result — Theme

No users were found on WordPress

WPScan Result — No Users

So, basically there’s no much Information we got other than out-dated WordPress Theme. To break into WordPress we need valid credentials.

Let’s find valid username by performing wordlist attack on login page. We can do this using Hydra tool. But first we need to capture the login request from BurpSuite tool.

Burp Request

Now we use the captured request to enumerate the username using recently dowloaded and sorted wordlist.

Hydra Username Enumeration

Note: You have to give the right wordlist to enumerate the username and put a random password.

Hydra Result

We got the username, now we need to crack the password using Hydra.

Hydra Password Enumeration

Fot this attack, we use previously enumerated username and provide the same wordlist to find the valid password.

Hydra Result

Now we have the password. Let’s login using those credentials and access the outdated theme editor. Now we can upload our php shell to target and get a reverse shell.

From the following location, edit the file to your IP address (kali linux) and port address.

Edit PHP File

Once you change IP and Port address, copy the all the content of .php file and paste it in word press theme editor “404 Template'.

Shell Upload

Once you update, then setup a netcat listener on your machine.

netcat listener

Then run the shell by visiting the below link.

Shell Link
Shell

We got the reverse shell. Now we need to get interactive shell.

Interactive Shell

Now we run some commands to find our key, but unfortunately it’s not accessible to us. However, we got a password hash of the “Robot” user.

Password Hash

Let’s save it in file and crack it with HashCat Tool.

HashCat
HashCat Result

We got the password of robot user, let’s login and extract the key2.

Login
Key 2 of 3

Now we need to collect the last key. For that probably we need to escalate privileges of current user to root. We can start with finding SUID permissions of files.

SUID Files

Out of all the executables, there’s one that shouldn't be there. It’s nmap. If we check the version, then it’s outdated.

Nmap Version

From GTFOBins, I got the trick to escalate the privileges using nmap.

Nmap — GTFOBins
Key 3 of 3

Now we have collected all the three key from target machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.