Introduction
Table of Contents
Toggle01. Enumeration
Firstly, go ahead to the challenge’s room on tryhackme (create an account if you haven’t already) follow the steps and press “start machine” to get started.
The enumeration phase in pentesting (not only on CTF environments) is a crucial step where the tester gathers as much information as possible about the target system or network. This includes identifying the target’s IP addresses, open ports, running services, and operating system versions. The goal of enumeration is to create a detailed map of the target system, which helps the tester to identify potential vulnerabilities and weaknesses. The tool we are going to be using is called “nmap“.
Nmap is a powerful and widely-used network exploration and security auditing tool. It’s a command-line utility that allows users to scan networks, identify hosts, and discover open ports and running services. A perfect fit for the enumeration process, isn’t it? Well, there are a lot of information from the nmap scan result at the screenshot on the right side, but what we can get from it is simple: there are 3 ports open: 22/tcp, 80/tcp and 443/tcp. SSH is running on port 22, and theres an apache webserver on port 80 (http) and 443 (https).
01. Enumeration (Web)
Thanks to the nmap scan, we can now ensure that there’s a webserver running. Before anything else, if you haven’t already downloaded a wordlist to perform this task, here is an excelent resource for you. There are a lot of directories related to WordPress, so you could use tools like wpscan to search for common wp vulnerabilities, but in this case, It’s better for us to scan manually. There are some unusual content at /robots
User-agent: *
fsocity.dic
key-1-of-3.txt
We found the first key! http://$IP/key-1-of-3.txt
Besides the key, the file http://$IP/fsocity.dic can be used in the future to perform a brute-force attack. Taking a look at it’s contents, we notice that there’s a lot of words, and most of them are not unique. In order to execute a sucessful bruteforce attack, let’s make another file containing the unique words only.
02. Initial access
One of the most important things in the pentesting/ethical hacking field is knowing your target. As this CTF is Mr. Robot-themed, we can assume that a valid username can be like mrrobot, robot, fsociety, elliot and so on, that are keywords related to the show. After some tries at http://$IP/wp-login.php, a different error message showed up. Looks like elliot is a valid username!
Now, we can use the previously found dictionary to perform a brute force attack against this login page. Tools like hydra would come in handy, but as we are dealing with wordpress, I prefer to use wpscan instead.
The effectiveness of the attack depends on several factors, such as the strength and complexity of the password, the speed of the attacker’s computer, and the security measures implemented by the targeted system to prevent such attacks. In this case, we are able to easily guess elliot’s password, as he isn’t usint a very secure password and there are no security measures at all implemented on the website.
03. System foothold & shell stabilization
Referencing this super cool article about WordPress shell upload, we are able to obtain a foothold. To do so, we need to change some legit code to our malicious code. First things first, download this php code in order to be able to sucessful trick the web application.
At the WordPress dashboard, logged in as elliot, go to Appearance > Themes > Editor
I particularly chose the file 404.php, removed all the legit code, and pasted the PHP reverse shell. Do not forget to change $ip value to your vpn IP address, you can see on the left image that I changed the value to mine’s.
Netcat shells aren’t stable by default, and we need to do some manual processes to stabilize it.
export TERM=xterm
Now, put the shell on the background using Ctrl + z and type:
stty raw -echo; fg
Press enter two or three times and… welcome, stable shell!
04. Horizontal privilege escalation
We got a shell as the “daemon” user and our objective is to completely own this machine, so let’s work on getting a more privileged account. We can see at the /home directory another user called ‘robot’. By entering the folder, the first file that stands out for us is a text file containing his password hash in MD5. Since MD5 is an old cryptographic algorithm and easily crackable nowadays, we can crack it locally using tools like hashcat or johntheripper, or use websites like crackstation.net (present in the screenshot below).
05. Vertical privilege escalation
Vertical privilege escalation attacks can be conducted through various means, such as exploiting software vulnerabilities, exploiting weak passwords, or exploiting misconfigured access controls. After a long time looking for system misconfigurations, an interesting binary finally stands out. NMAP has a SUID bit set, and this is not usual. Doing a quick google search, I found this article talking about nmap with suid. Apparently we can run nmap interactively and get a shell as root. Fancy!
$ nmap –interactive
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
The third key is stored in /root.
06. Conclusion
The CTF presents a realistic scenario inspired by the famous TV show Mr. Robot, allowing participants to learn and practice hacking techniques in a safe and controlled environment. The challenge covers a range of topics, including reconnaissance, vulnerability scanning, password cracking, and privilege escalation. Completing the challenge not only enhances the participant’s technical skills but also provides a sense of achievement and satisfaction. Overall, the Mr. Robot CTF is an excellent resource for cybersecurity enthusiasts to learn and practice ethical hacking in a fun and engaging way.
We hope that you have found our content useful and engaging, and we invite you to explore more of our website to discover other interesting topics that we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing you with the best possible user experience, and we welcome your feedback and suggestions via the contact form. Thank you for choosing our website, and we hope to see you again soon!