Room: Mr. Robot CTF
Difficulty: Beginner/Intermediate
“Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
What is key 1?
I started by enumerating the machine using an nmap scan.
Looks like we have three ports here. A closed SSH port on 22 and some web services running on 80 and 443.
Use your web browser to navigate to the web page.
OK, so this is pretty cool. I right-clicked and chose “Inspect Element”, which brought up an interesting message:
I went back to the “command line” in my browser and tried a few of the available commands. Here is “question”:
“prepare” shows you a short video:
Before I check the others I am going to get gobuster running in the background.
The other page options have similar videos, but “join” asks you for an email address. I don’t know about entering my email though. Maybe the person who designed the challenge is just harvesting emails to sell them, lol.
The hint for question one is “robots”. To me, this is probably referring to the robots.txt page that websites can use to inform search engine crawlers of certain preferences.
I found this at /robots.txt…
If you add that to your navigation bar you arrive here:
Initially I thought this was hex code for something and wasted a bunch of time attempting to decode it, but it turned out that this was the actual flag!
What is key 2?
Back on the /robots.txt page, you’ll notice there is a .dic file called fsocity.dic, so let’s head there:
When you open up the file, it looks like a custom wordlist. Definitely saving that for later!
I explored around for a while longer, but I will spare you every single detail. There was a lot to look at and ponder. I mostly just used my gobuster results as a guide as they poured in.
At /license.txt I found this by inspecting the page, a password!
It was easily recognizable as Base64, so I just used an online tool for decoding and got: elliot:ER28–0652
I tried it at the /login page I found earlier, and was able to get into the blog’s dashboard!
There were no posts active, but I did find 5 in the trash. I restored them all.
But that was useless. I assumed something would be here in “white-colored” font like the hint implied.
Overall, I didn’t get much from the blog except for the “users” page, where I found Elliot and his therapist’s email addresses:
When you click her name and check out the “about me” section you see this:
So we have another username, mich05654. Perhaps I can brute-force that with the wordlist?
There is a tool preinstalled on Kali called wpscan that you can use it to brute-force WordPress logins.
Looking at the wordlist we got, there are over 850,000 words in it…This may take some time. While that is running, I did some more exploring.
I found this at /readme:
I left for a while and came back later to check on wpscan. It had found a password!
I logged in with her credentials, but that appeared to be a useless dead end.
When I used wpscan, it did produce quite a few things in the “interesting findings” section of the scan.
After doing some research based on the stuff I found here, I discovered that you can use the theme editor to get a reverse shell using the 404 template:
I used THIS.
Copy/Paste that into the 404 Template to replace what was originally in there.
Look through it and you will this area where you need to make some changes:
Set that to your IP and the port you want to listen on in netcat.
Make sure you hit “Update File” to save the template, then head over to your terminal to set up a listener.
Now just browse to a blog page that you know will throw up a 404 error, like this:
Check back with netcat:
As I learned a few days ago when I did my first HTB machine (I will be posting the writeup when it retires), we should upgrade our shell to something a little nicer:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Much better:
Time to explore. In the /home directory we find this:
You can’t open up the Key 2 file, but you are given an md5 password hash for the user robot:
CrackStation was able to crack it easily:
Change users to “robot” and you will be able to open the file:
So we got our second key, but I’m still trying to figure out what the hint about white-colored font is about? If anyone knows, please leave me a comment. I might try to ask on the Discord server later.
What is key 3?
So I’m assuming this one requires us to escalate our privileges to root. The only hint was “nmap”. I looked back over my scan and didn’t see anything special pop out at me.
I went back to Google and found a few articles that pointed me in the right direction:
The first thing I did was look for the SUID flags I could run as root.
A couple weeks back I did one of the Advent of Cyber THM challenges that utilized SUID in somewhat the same manner. You can read my writeup HERE, if you would like. To keep it short though, the SUID bit set just means that a user can execute the file with the same permissions as the owner.
Check out /usr/local/bin/nmap!
After you find these, you can use GTFO Bins to help you utilize them (in our case, search for nmap).
Let’s check what version of nmap is installed here:
We can see that it is a REALLY outdated version. So apparently, older versions of nmap let you use something called “interactive” which would produce a shell where a user could execute commands. It looks like that is what we are able to do here:
From here, we can use !sh to generate a shell. Because of that SUID bit set, it will be a root shell:
Happy Hacking! ❤
