TryHackMe — Mr. Robot CTF Writeup




By Yugansh Kumar       November 10, 2020




By Yugansh Kumar

November 10, 2020

This post is a walkthrough of the famous Mr.Robot CTF virtual machine. I used the platform TryHackMe though you can also find this VM on Vulnhub. The goal is to find three hidden flags.

Tryhackme website

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

Nmap Scan:

nmap scan

Having ports 80 and 443 indicates we have a website running, so we open http://10.10.24.7 and https://10.10.24.7 on your browser.

Mr robot themed website

The website is Mr. Robot themed website after running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.

So now we know it is a website, so we should enumerate the directories by performing a gobuster scan and follow the basic enumeration like viewing the robots.txt page if it’s available or not.

Gobuster Scan

Now we’ll be employing a tool called gobuster, which uses an existing wordlist of possible common directories name and can attempt to load every directory name therein wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster).

TryHackMe — Mr. Robot CTF Writeup 1
Gobuster Scan

Now lets check the directories which returned a status code 200.

TryHackMe — Mr. Robot CTF Writeup 2
/readme
TryHackMe — Mr. Robot CTF Writeup 3
/license

So, here in the license directory, we got some base64 encoded string lets to decode it and see what we get.

TryHackMe — Mr. Robot CTF Writeup 4

These could be the login credentials of the wp-admin page but before testing that we should look at the robots.txt file as it might contain some valuable information.

TryHackMe — Mr. Robot CTF Writeup 5
/robots.txt

Here as we can see the robots.txt file contains tons of valuable information. It has some dictionary named fsocity.dic and the first flag i.e key-1-of-3.txt. So let’s goto these directories and download the dictionary as if in some case we got the username and password incorrect we could do a dictionary attack on the login page with the help of hydra.

TryHackMe — Mr. Robot CTF Writeup 6
flag1(key-1-of-3)
TryHackMe — Mr. Robot CTF Writeup 7
fsocity.dic

Now let’s go to the login page and enter the credentials we found earlier in the license directory.

TryHackMe — Mr. Robot CTF Writeup 8
/wp-admin
TryHackMe — Mr. Robot CTF Writeup 9

After entering the credentials we got to know that it is a WordPress website version 4.3.1, now generally in these scenarios we generally try to upload a reverse shell, we will upload pentester monkey’s PHP reverse shell in Appearance → Editor and then select 404.php on the right.

TryHackMe — Mr. Robot CTF Writeup 10

You just have to change the IP address to your IP address and any port that you desire.

You can see your IP address with the help of ifconfig command there in tun0 your IP address will be marked.

TryHackMe — Mr. Robot CTF Writeup 11
ifconfig command

Now after changing the IP address and port no. paste your script in the edit section of 404.php

TryHackMe — Mr. Robot CTF Writeup 12
404.php

Now save the template and open netcat to listen the port 9999 in my case by firing the command in the terminal.

nc -nlvp 9999

Now either visit the 404.php or curl it using the terminal to receive the reverse shell.

TryHackMe — Mr. Robot CTF Writeup 13

Now see the netcat connection for the reverse shell must have been executed.

TryHackMe — Mr. Robot CTF Writeup 14
Voila!! we opened a reverse shell
TryHackMe — Mr. Robot CTF Writeup 15
TryHackMe — Mr. Robot CTF Writeup 16
We cannot read key-2-of-3.txt

As you can see here we need to be user robot to see the key-2-of-3.txt file but we can still se the password.raw.md5 file, So let’s do that

TryHackMe — Mr. Robot CTF Writeup 17

Now we know that it is an MD5 hash, let’s try to decode it using a website named crackstation.

TryHackMe — Mr. Robot CTF Writeup 18
Voila!! we cracked the hashed password

After getting the password for the user robot now let’s try to switch the user.

Switching user to robot

TryHackMe — Mr. Robot CTF Writeup 19
To switch users, we need a terminal and we cannot open the terminal using /bin/sh -i
TryHackMe — Mr. Robot CTF Writeup 20
so we open the terminal using this method.

TryHackMe — Mr. Robot CTF Writeup 21
opening the key-2-of-3.txt

Privilege Escalation

Now, to capture the 3rd flag we need to upgrade from user to root for this we need to figure out which programs have SUID of at least 4000.

TryHackMe — Mr. Robot CTF Writeup 22
We see nmap here

The logic is that Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques do not work if you don’t run it with root privilege.

However, there is a functionality in Nmap older versions where you can run Nmap in an interactive mode which allows you to escape to the shell. If Nmap has SUID bit set, it will run with root privilege and we can get access to the ‘root’ shell through its interactive mode.

TryHackMe — Mr. Robot CTF Writeup 23
Key 3 captured

Personal conclusion over tryhackme

Personally, I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. I would try to upload writeups of rooms that I found interesting but for now, I hope you also learned something from this writeup.

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.


You Might Also Like

Subscribe to our Newsletter

Advertisement