TryHackMe: Mr Robot CTF Writeup

9 min readMay 23, 2020

Bonsoir everyone! This writeup documents my approach for solving the “Mr Robot CTF” room available to members for free on the TryHackMe platform. I recommend checking out TryHackMe for anyone interested in learning new cyber security skills or is just looking to have some fun 😄! I have a link to their website in the references below.

Disclaimer

I recommend trying to complete the room before reading this writeup, since you learn more that way and will get more satisfaction from completing it yourself! If you are reading this and have gotten stuck on a certain part of the CTF then I would advise the following:

Try not to over complicate things, each key can be found using common exploits or penetration testing techniques.
Perform as much enumeration as possible using multiple tools.
Be patient and stay persistent. The goal is to learn and have fun, so remember to take regular breaks!

Background

This CTF’s (Capture The Flag) theme is based on the “Mr Robot” TV Series and has 3 hidden keys that must be found to complete the room. Finding each key increases in difficulty.

For this writeup, I will be using a Kali Linux and tools that come pre-installed with it. I will begin this writeup after connecting to the target machine, so let’s dive in!

Enumeration

Once connected, I start by scanning the target machine’s IP address using a popular tool called NMAP to discover what ports are open and the services that are running on these ports.

The NMAP command can be broken down as follows:

-Pn: Disables host discovery.
-Sv: Performs version detection for the services.
-sC: Performs a script scan using default scripts available in NMAP.
-v: Provides verbose details about the NMAP scan.
-O: Performs OS detection.
-oN: Outputs scan results to a file.

This scan identifies port 22, 80 and 443 on the target machine. Port 22 is closed but port 80 and 443 are open and the target machine appears to be running an Apache server.

Typing the target machines IP address into the URL of any browser presents a cool looking website with some limited functionality. After exploring the website for a bit I decided to use GoBuster, a tool which can be used to find any hidden directories. This tool uses a word list of common directory names and attempts to load these directories.

The GoBuster tool identifies a number of pages. The pages that have a status code of 200 are of particular interest as it means the request was successful.

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/admin (Status: 301)
/atom (Status: 200)
/audio (Status: 301)
/blog (Status: 301)
/css (Status: 301)
/dashboard (Status: 302)
/favicon.ico (Status: 200)
/feed (Status: 200)
/images (Status: 301)
/image (Status: 301)
/Image (Status: 301)
/index.html (Status: 200)
/index.php (Status: 301)
/intro (Status: 200)
/js (Status: 301)
/license (Status: 200)
/login (Status: 302)
/page1 (Status: 200)
/phpmyadmin (Status: 403)
/readme (Status: 200)
/rdf (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/rss (Status: 200)
/rss2 (Status: 200)
/sitemap (Status: 200)
/sitemap.xml (Status: 200)
/video (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-config (Status: 200)
/wp-cron (Status: 200)
/wp-load (Status: 200)
/wp-links-opml (Status: 200)
/wp-login (Status: 200)
/wp-signup (Status: 302)

Looking at the pages found with status code 200 first, the first key was found in the “robots.txt” file. This file is used to tells the search engines which pages to access and index on your website and which pages not to. Typing “http://10.10.50.209/robots.txt” shows the contents of the “robots.txt” file.

Typing “http://10.10.50.209/key-1–0f-3.txt” gives the first key. One down, two to go!

The “robots.txt” file also contained an entry called “fsocity.dic”. Typing “http://10.10.50.209/fsocity.dic” into the URL causes a file to be downloaded. Examining the file using “strings”, it appears to be a large list of words.

I decided to grep the list to see if there were any clues about the second key.

Looking through the file I noticed that there were duplicates of the same words. This will turn out to be important later 😉.

Vulnerable Login

Looking through the remainder of the pages discovered by GoBuster, a login page called “wp-login” was discovered.

I tried a few different credentials to see if I could get lucky and discovered that the page presents an error when you fail to login, saying the username is invalid.

Incorrect Username

Thinking about the theme for this CTF, I tried some of the names of the characters from the Mr Robot show. I discovered that if you entered the username “Elliot”, a different error message would be presented.

These error messages are very useful as it indicates if we have the right username or password based on the error message displayed. I recalled the word list “fsocity.dic” that I found earlier in the robots.txt file and figured that it was meant to be used to brute force this login.

I mentioned earlier that while looking through the word list, I discovered duplicates of the same words. After realizing that the word list was meant to be used to brute force this login, I decided to sort the list and remove any duplicates.

This shortens the list and will therefore take less time to brute force the login. The difference in the number of lines is considerable and is shown using the “wc” command. The list was shortened from 858,160 words to 10,072 words.

Brute Force Login

With a shorter word list and the knowledge of different error messages being presented, I can shorten the amount of time needed to brute force the WordPress login. To accomplish this task, I will be using a tool called Hydra. I first need to check what parameters are being used by the login page, when credentials are submitted. These parameters will be need to be provided each time a login attempt is made. I use a tool called BurpSuite, an interception proxy that allows me to intercept requests before they are sent by the browser client.

The parameters surrounded in red were found in the POST request when attempting to login. Using this information, I can brute force the password for the login page using the username “elliot” with Hydra.

A break down of the Hydra command is as follows:

-f: Stop brute forcing the login page once the password is found.
-V: Display the attempts being made by Hydra and other details.
-t: Number of connects/tasks being run in parallel (recommended 4).
https-form-post: Indicates the type of form being used (i.e. POST).
/wp-login.php: Name of the login page.
^USER^: tells Hydra to use the username or list in the field.
^PASS^: tells Hydra to use the password list supplied.
-l: indicates a single username e.g. “Elliot”(use -L for a username list).
-P: indicates use the following password list e.g. wordpress_password_list.dic

Running this command gives the password for the “Elliot” user. Hooray!

WordPress Reverse Shell

Logging in as the user “Elliot”, I noted that this user is the administrator and that the WordPress version being used is 4.3.1 in this instance.

I performed a quick google search and found that this version of WordPress has multiple vulnerabilities that can be exploited in order to gain a reverse shell. One such vulnerability is to inject a malicious plugin. To accomplish this, I start by creating a PHP file and adding some malicious code.

The malicious code uses the PHP exec() function to execute commands in order to create a shell on the target machine that we can interact with. The IP address must be the host machine you intend the reverse shell to call back to. The port used for this reverse shell was “4567”. This PHP file was compressed using the ZIP format before being uploaded as a plugin.

Once the plugin has been uploaded and installed successfully, it must be activated which will cause the reverse shell to be created.

To connect to the reverse shell, netcat can be used to listen for a connection on port 4567.

I now have a reverse shell on the target machine 😃.

I moved into the “/home” directory to see what users were created on the target machine. I found one user called “robot”. Inside this users directory is the second key and a file that contains an MD5 hash.

To read the second key, we need to sign in as the user “robot”. The password for this user is in the second file as an MD5 hash. Using any online hash cracking tool, it is possible to get the password for the user.

Using this password, I can switch users using the “su” command but unfortunately the “su” command can’t be used without a proper terminal.

I can use python to get around this and get a working terminal.

I can now switch to the “robot” user and read the second key!

Linux Privilege Escalation

I figured that the final flag was in the root users directory and started looking for ways to escalate my privileges on the target machine. A common way to escalate privileges is to use files with the SUID flag set to true. This flag means the files run with root permissions. I use the “find” command to search for files with this flag set.

I noticed the “nmap” binary was set with the SUID flag. Older versions of NMAP(2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. Since NMAP is in the list of binaries that is executed with root privileges, it is possible to use the interactive console in order to run a shell with the same privileges. The NMAP version is checked to see if it is vulnerable.

The version does have interactive mode and can be used to execute commands as root to get the third and final key.

Closing Remarks

This was a really fun CTF for beginners and intermediate players. The TryHackMe platform has lots of different rooms and is a great way to learn new skills or brush up on old ones. If your interested in hearing about more writeups I’m planning in the future or just cyber security in general, then feel free to follow me on Twitter: @TheTMC113

Till next time 😃 🍻!