CTF – Mr Robot

Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. There isn’t any advanced exploitation or reverse engineering. The level is considered intermediate level.

My Setup

VM Image at https://www.vulnhub.com/entry/mr-robot-1,151/

My Hints

  • What does BurpSuite show?
  • There are 2 ways to get credentials for the WP login, found them yet?
  • What exploit can you run on WP to get a shell if you have the admin credentials?
  • Once you have a half ass shell, what can you type to create a limited shell so su can be run?
  • What “Advanced Linux File Permissions” are used? any programs here of interest? Anything you can run, then break out of?

My Solution

A quick nmap ping scan to find the target

Then a more detailed scan to see whats open

Starting with HTTP, we setup burp-suite, add scope and spider. A fancy page loads, there’s some videos and pictures based on the options selected. The last option join, prompts you for your email address and appears to submit something – may come back to this.

Flag 1 of 3

Found in BurpSuite the (Mr) robots.txt file leads us to the first key. We also see some common folders for wordpress and a file at http://192.168.56.104/fsocity.dic we download and it appears to be a user / password list.

We find the first key – almost too easy.

Flag 2 of 3

We use nikto to enumerate the website a bit more.

*** Lesson learned – also using a kali built-in tool dirb could have helped here, allows brute forcing of directories on the web server. dirb http://192.168.56.104

While looking, a few motivational comments are found…

This was sneaky. Initially I read the first line and moved on.

But when rechecking later on (after 19+ hours of brute forcing and getting the same credentials) you see the scroll bar, there is room to move down. it also shows “do you want a password or something?” and eventually “ZWxsaW90OkVSMjgtMDY1Mgo=“. Thank you Over the Wire Wargames, we know this is might be base64 encoded. Lesson learnt – always more enumeration.

Trying to view /admin/index.html appears to keep looping/refreshing. Looking at the source code, shows nothing of importance.

Trying http://192.168.56.104/wp-links-opml.php we find the version of WordPress 4.3.1

As word press is running ( /wp-login) I fire up wpscan. This confirms the version and finds a truckload of vulnerabilities. I try to enumerate usernames with this, but keep getting “this is not a wordpress site” so move on.

While I research some of the vulnerabilities found, I kick off a Hydra scan. I’m assuming the fsociety.dic word list found earlier will either contain usernames or passwords. Lets try to find the username first.

Navigating to the http://192.168.56.104/wp-login.php page we enter in “admin” for the username, and “password” for the password. But not hitting Log in just yet.

Switching back to BurpSuite on the Intercept tab, we turn Intercept on – ready to captures the login traffic. This will allow us to step-by-step capture and forward data from BurpSuite to the MrRobot webpage. When ready we hit “Log In” on the webpage, then press forward a few times in BurpSuite, until we see the details below. The details we are interested in:

  1. HTTP type (post)
  2. URL login page
  3. The username field – where “admin” was entered
  4. The password field – where “password” was entered
  5. The post string

Pressing forward again will bring us to the next page, where we get the error message of our unsuccessful login. Note the error message “Invalid username”. We will need this to so Hydra knows what a failed login attempt looks like.

Now onto Hydra we RTFM and build our command. Also had to check Hydra Website for http-post-form syntax.

hydra -L /root/Downloads/fsocity.dic -p password 192.168.56.104 -s 80 http-post-form /wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.104%2Fwp-admin%2F&testcookie=1:F=Invalid username

  • -L /root/Downloads/fsocity.dic – sets our word list to use for usernames
  • -p password – sets our individual password (we can use -P for a list)
  • 192.168.56.104 -s 80 – is our sites IP and port number
  • http-post-form – is the service type we are attacking
  • /wp-login.php – is the page where we want to try the logins
  • :log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.104%2Fwp-admin%2F&testcookie=1: – is the HTTP post string. Note we use ^USER^ and ^PASS^ where we want Hydra to substitute in usernames and passwords.
  • F=Invalid username – Finally tell Hydra what a failed (F) page looks like. You can also use success (S)
  • (optionally) you can add -V at the end to see all the combination attempts.

Less than a minute in we find a match. This confirms a valid username is “Elliot” – but of course it is.

When we now try to log in with Elliot we get a different error message.

Tweaking our command a bit, we now try all the passwords in the word list with username Elliot and update the expected failed message.

hydra -l Elliot -P /root/Downloads/fsocity.dic 192.168.56.104 -s 80 http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.104%2Fwp-admin%2F&testcookie=1:F=password you entered

This took much longer to break. Initially while waiting for Hyrdra I tried a few educated password guesses from the wordlist  – Edward (dad), Alderson (last name), Magda (mum), Darlene (sister), MrRobot – using cat fsocity.dic | grep -i “edward”. After 19 hours, it was the 10th last password in the list.

*** alternatively we could have paid more attention and found the  credentials at http://192.168.56.104/license.txt)

*** Another lesson learned would be to check the wordlist contains any duplicate entries and output to a new file sort fsocity.dic | uniq > fsocity.dic2. Now if you check the entries sort fsocity.dic2 | uniq | wc -l its only 11451

Next we login to the word press site and have a look around.

In the user settings under krista gordon, the biographical info hints at another key.

Under media http://192.168.56.104/wp-admin/upload.php?item=24 there is an image with some code in the back which matches Krista Gordon’s username and a potential password.

Tried resetting password and logging on as Krista. Tried krista’s/elliots email in the “/join” webpage. Checked wireshark for any weird traffic. Looked on the wiki page under Kristas profile. Checked page source on the profile.php page.

Eventually started searching for a way to leverage the wp admin credentials to somehow get a shell. Fired up metasploit and did a search for any wordpress exploits with “shell” in the module name. search wordpress name:shell. Found 3 to start with.

Starting with the first one use exploit/unix/webapp/wp_admin_shell_upload, options are set eg: setg RPORT 80 (note setg is set global, so you don’t have to keep manually using set for each exploit attempt).

The exploit appears to complete successfully but I receive an error when trying to run. A bit of googling and appears we need to use set target 0. Also as I found this exploit does not require a manually set payload eg: reverse shell.

We try again, only to be told the site is apparently not running WordPress.

Fiddling around for a while trying different options, I decide to move onto the other 2 exploits but have no luck there either – “failed to upload exploits”. I eventually come back to wp_admin_shell_upload and give it another crack.

The script is failing because it does not think WordPress is running, but as I am staring at the console of the wp admin page we know otherwise. Maybe there is a way to improve the script or just disable this check and see if we can proceed?

To understand how this is actually working we do some googling and find the code for the exploit.

This is calling a built in library wordpress_and_online to do the actual check. Looks like it checks for a few pages.

Lets try commenting this part out. Navigate to where metasploit keeps its exploits /usr/share/metasploit-framework/modules/exploits/unix/webapp. A quick check confirms this the right file.

Open in vim and as its written in Ruby, comment this line out with a #. Save and exit.

Reload modules with reload and set LHOST as your kali IP otherwise it defaults to localhost. Now we try again, and…. get a meterpreter shell!

Get our bearings

Now we have a look around. First we see what users are on this box by checking /etc/passwd.

Not important but in the /opt/bitnami/apps/wordpress/htdocs folder we find a web file we missed.

If the first key is named “key-1-of-3.txt” maybe we can find the other 2. I tried searching for “key” first but found too many matches. Searching for “of-3” shows 2 keys. One we’ve already found. Note the 2>&1 redirects the “permission denied” errors.

find / 2>&1 | grep -i “of-3”

We navigate to /home/robot and see what files are in there. First off we don’t have access to read the key file but there is another file there we can read.

It contains a MD5 hash robot:c3fcd3d76192e4007dfb496cca67e13b. Enter this in a website which cracks it instantly, but for the education purposes I also run in hashcat. I try running this against the fsociety.dic and rockyou.txt files in hashcat and get a hit with rockyou. Note -a 0 is attack mode straight,  -m 0 is for hash type MD5, –username ignores username in hash and –force is because kali is running on a VM and was throwing some CPU errors.

hashcat -a 0 -m 0 robot:c3fcd3d76192e4007dfb496cca67e13b /usr/share/wordlists/rockyou.txt –username –force

Now we have some credentials, lets find a way to login. However when we try to spawn a shell via meterpreter, its limited and won’t let us use the su command. Checking some common escalation techniques, we eventually use shell wizardry we find a way in with a python script.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

See links below for alternative methods:

 One more flag to go!

Flag 3 of 3

I try to do a search for accessible flags, no new ones. Assume last flag is at /root. Don’t have access to root folder. Don’t have sudo privileges (sudo -l), can’t read /etc/sudoers. I try a few local exploits based off (cat /proc/version and uname -a) but have no luck – using searchsploit and www.exploit-db.com

I also try exploring Apache and MySQL further for details and possible exploits, but no luck. Also try investigating open local ports.

I find a great enumeration & privilege escalation checker script . To get on the box, i use the meterepter to upload to a temp directory (mktemp -d) I created under robot, change permissions of the folder (chmod 777 dir), and make the python script executable (chmod +x file) then run (python file).

I sift through the results over a few days and eventually call it quits. Unfortunately I miss one of the programs running as root is nmap, and apparently this old version allows an interactive mode, where shell commands can be run.

I was new to abusing SUID so did some more research:

Confirmed by the help.

Once in interactive mode, h for help,  shows we can run a shell command by ! <command>

Sure enough, spawning a new shell runs as root.

Which then lets us into /root to find the final flag.

This was a challenging CTF and lots of lots of fun. Probably the most I’ve learnt in a CTF yet.

Other Alternative Solutions

I always love to check out how other approached it. What they did differently, what I missed, better ways to solve the same problem etc.

  • https://kaizensecurity.wordpress.com/2016/08/31/mr-robot-1-you-are-not-alone/
  • https://two06.blogspot.com.au/2016/07/mr-robot-ctf-walkthrough.html – (php reverse shell)
  • https://blog.christophetd.fr/write-up-mr-robot/ (removing duplicates from the wordlist and also missed the password for WP admin : )
  • http://camelinc.info/blog/2017/02/Vulnhub—Mr-Robot-1-boot2root-CTF-walkthrough/
  • https://www.youtube.com/watch?v=ra9N2jmj590&feature=youtu.be (using dir, hash identifier, manual wp plugin upload)
  • https://nikolaskama.me/mr-robot-1-writeup/