Mr Robot CTF Room: A TryHackMe 101 Walkthrough

Mr Robot CTF

Introduction:

Hey cyber adventurers! Get ready for an exciting journey in the MR Robot CTF Room on the Try Hack Me platform. The difficulty level is set at Medium this time, offering a challenge that’s just right for those looking to improve their skills.

Tools Used:

The Mr Robot CTF room utilizes three essential tools for penetration testing:

1. Nmap: A powerful network scanning tool that helps identify open ports, services, and vulnerabilities on a target machine.
2. FFUF: A powerful open-source web fuzzing tool designed for the rapid discovery of hidden files and directories on web servers through customizable wordlists and filtering options.
3. Netcat: A versatile utility for TCP/UDP data transfer, vital for tasks like port scanning, banner grabbing, and network troubleshooting in penetration testing and management.

Our Goal:

Your goal is to find three hidden keys tucked away somewhere in the system. Use your skills to solve digital puzzles and showcase your ability to conquer this cybersecurity challenge. So, buckle up, and let’s dive into the world of ethical hacking!

Step 1: Connecting With TryHackMe VPN

Browser

Before starting, ensure your Try Hack Me VPN is connected and working. If you need assistance with a VPN connection, refer to this article.

Step 2: Launch the Machine

Browser

Start the machine provided in the room and let it run for 3–4 minutes before proceeding, a box will appear like below indicating that the machine is working and you will have the IP Address of the newly deployed machine.

Browser

Step 3: Ping the Machine

Linux Terminal

Ensure the machine is responsive by pinging it using the terminal of your Kali Linux machine.

Use the command: ping <Machine_IP>.

example:-

ping 10.10.217.185

If successful, proceed to the next step.

Step 4: Port Scanning with Nmap

Linux Terminal + Browser

Perform a thorough port scan using Nmap with the command: nmap -sV -p- -v <Machine_IP>.

example:-

nmap -sV -p- -v 10.10.217.185

Be patient, this may take some time. The flags are used to serve specific purposes

for example:

• -v: Increase verbosity.
• -sV: Service version detection.
• -p-: Scan all ports.

Step 5: Analyzing Open Ports

Linux Terminal

As we can now see the open ports and services. Focus on port 80 as it seems exploitable and the service running on it is HTTP. However, port 22 is also open with SSH, but without credentials, our focus shifts to port 80.

Step 6: Accessing The Website

Access the web interface of port 80 in your browser using the URL format http://<Machine_IP>:80.

example:-

http://10.10.217.185:80

Step 7: Observing Website Functionality

Browser

Upon loading the website in our browser, as demonstrated in the preceding step, we encounter an aesthetically appealing interface characterized by animations and sophisticated effects. The website unfolds a series of commands, including “prepare,” “fsociety,” and “inform,” among others.

Browser

Entering these commands via the keyboard navigates us to distinct pages within the website. Notably, each page possesses a unique endpoint; for instance, entering the “inform” command redirects us to the http://10.10.217.185/inform page. This pattern persists for all other available options.

Browser

However, despite a thorough exploration of all pages, we have yet to discover any substantial or useful information.

Step 8: Directory Busting with ffuf

Linux Terminal (fuff)

In this step, we will conduct directory busting on the website using the ffuf tool. The chosen medium wordlist for directory busting is used with the following command:

ffuf -u http://10.10.217.185/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

Be patient, this may take some time. The flags are used to serve specific purposes

for example:

• -u http://10.10.217.185/FUZZ: Target URL for directory busting, using "FUZZ" as a placeholder for items from the wordlist.
• -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Wordlist file path for directory busting.
• -c: Colorized Output, makes it easier to understand the output.

The outcomes of this directory busting will be analyzed in the subsequent steps.

Step 9: Analyzing ffuf Output

Linux Terminal (ffuf)

Upon executing the ffuf directory busting command, carefully examine the output to identify any discovered directories or files. Notably, directories with a status of 200 are highlighted in green for easy recognition. Proceed by checking these directories, using them as endpoints in the URL.

Browser

For instance, the first directory we inspect is “readme” at http://10.10.217.185/readme. This leads us to a page with the message “I like where your head is at. However, I’m not going to help you.” As we continue our search, we explore other directories listed by ffuf.

Step 10: Locating the First Key Flag

Linus Terminal (ffuf)

Continuing our exploration, a new directory named “robots” was discovered through ffuf. Upon accessing this directory, we encounter a page displaying the following message:

User-agent: *

fsocity.dic

key-1-of-3.txt

Browser

Notably, the presence of “key-1-of-3.txt” is observed. Navigating to this link, http://10.10.217.185/robots/key-1-of-3.txt, yields the first key flag.

Browser

Step 11: Examining fsocity.dic

Browser

Upon investigating the “robots” directory, we identified the presence of the “fsocity.dic” file. Accessing this directory results in the download of the “fsocity.dic” file to our local machine.

Linux Terminal

Upon inspection of the contents of “fsocity.dic,” it is revealed to be a substantial wordlist file containing numerous entries. This file may prove valuable for further analysis.

Step 12: Directory Busting with fsocity.dic

Linux Terminal(ffuf)

To leverage the recently discovered “fsocity.dic” file for directory busting, we employ the ffuf tool with the following command:

ffuf -u http://10.10.217.185/FUZZ -w /home/kali/Downloads/fsocity.dic -c

This command directs ffuf to use the “fsocity.dic” file as the wordlist for directory busting on the specified target URL. The -c flag is included to enable color highlighting for enhanced visibility of results. Subsequent steps will provide insights into the outcomes of this directory-busting operation.

Step 13: Reviewing Results from fsocity.dic Directory Busting

Linux Terminal (ffuf)

Following the directory busting operation using the “fsocity.dic” file, a new directory, namely “license,” has been uncovered.

Browser

Upon accessing this directory, an extensive page is revealed. Towards the end of the page, a base64 encoded text is discovered: “ZWxsaW90OkVSMjgtMDY1Mgo=”.

Browser

Decoding this text using a tool like Cyberchef reveals a username and password: “elliot:ER28–0652”. Utilizing this credential set allows us to log in to the website and potentially gain further access.

Step 14: Logging into the Website

Browser

Upon discovering the “wp-login” directory during directory busting, indicating a WordPress website, we accessed the login page at http://10.10.217.185/wp-admin.

Browser

Using the previously obtained credentials (“elliot:ER28–0652”), we successfully logged into the website. The logged-in session reveals that the user is Elliot Alderson, granting access to various functionalities, including the ability to upload new plugins or themes.

This access opens up possibilities for further exploitation in subsequent steps.

Step 15: Obtaining a Reverse Shell from the Website

Given the ability to upload themes or plugins to the website, a reverse shell can be obtained using the Pentestmonkey reverse shell PHP script. Download the script from this link.

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell

PHP Reverse Shell Script

Before uploading the PHP script, make the necessary modifications by adding your IP address in the designated section (//Change This) within the script. Specify your IP, such as the Tryhackme VPN IP, and set the port to 1234.

Linux Terminal (netcat)

In a new terminal, start a listener by executing the following netcat command:

nc -nvlp 1234

Browser

With the listener ready, upload the modified PHP script to the website. You can achieve this by going “Add New” option under the Plugins section.

Browser

Upon uploading the PHP file, you might observe an error without any apparent execution.

Browser

However, you can access the uploaded file by navigating to the library page under the Media tab.

Browser

Locate the file and open it in a new tab. This action triggers the reverse shell, and you should see a connection on your Netcat listener.

Terminal + Browser

This established reverse shell provides a gateway for further exploration and exploitation in the subsequent steps.

Step 16: Making the Shell Interactive and Navigating the Machine

Linux Terminal

To make the shell interactive for improved navigation, execute the following commands sequentially:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo

These commands facilitate the transition to an interactive shell environment. Once these commands are executed, the shell becomes interactive. With an interactive shell, you can navigate through the system more efficiently. In the upcoming step, we will proceed to explore the machine further and locate the second key flag.

Step 17: Retrieving the Second Key Flag

Linux Terminal

In this step, we navigate to the /home/robot directory, identifying crucial files such as key-2-of-3.txt and password.raw-md5. Attempting to open key-2-of-3.txt results in a "permission denied" error, prompting a focus shift to the password.raw-md5 file.

Terminal + Browser

Upon inspecting the contents of password.raw-md5, we uncover a hash string: "robot:c3fcd3d76192e4007dfb496cca67e13b." The hash is successfully cracked using an online tool, revealing the password as "abcdefghijklmnopqrstuvwxyz."

Linux Terminal

With the cracked password, we execute a user switch to “robot” using the su robot command, gaining the necessary permissions to access the key-2-of-3.txt file. Returning to the /home/robot directory, the cat command is used to open and retrieve the content of “key-2-of-3.txt,” yielding the second key flag associated with the user "robot."

Step 18: Privilege Escalation and Retrieving the Final Key Flag

Terminal + Browser

To attain root privileges and retrieve the final key flag, we employ privilege escalation techniques. First, we identify potential SUID binaries using the following command:

find / -type f -perm -04000 -ls 2>/dev/null

This reveals that Nmap has an SUID exploit listed on the GTFOBins website. Leveraging this exploit, we gain root access with the following commands:

nmap --interactive
nmap> !sh

Terminal + Browser

After executing these commands, we navigate to the root directory, where we discover the file key-3-of-3.txt. Using the cat command to open and retrieve the content of this file, we obtain the final third key flag, completing the penetration testing process.

Conclusion:

This room provided a hands-on journey in penetration testing, covering Nmap reconnaissance, WordPress exploitation, and privilege escalation. Key takeaways include overcoming permission barriers, deciphering hashed passwords, and exploiting Nmap’s SUID binary for root access. The exercise highlighted ethical hacking practices, responsible disclosure, and the importance of adapting to evolving cybersecurity landscapes. Overall, it offered valuable insights into reconnaissance, exploitation, and post-exploitation activities.

If you found this article insightful and informative, please consider following for more in-depth explorations and analyses in the realm of cybersecurity. Your support is greatly appreciated!