Open in app

Sign in

Write

Sign in

TryHackMe | CTF | Mr. Robot

Kapish Kuchroo
4 min readJul 10, 2021

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine. TryHackMe presents this wonderful box to capture the root flag of the machine. Check out the box https://tryhackme.com/room/mrrobot.

1. Enumerate

Lets find out the number of ports open on this machine

Port 80 and 443 are open on the machine. If you enter the Ip address on the url area, you will see a website there. Website is not that useful, but crawling the website I found there is an interesting file robots.txt. I used gobuster to crawl on the website and find any hidden directories.

http://10.10.115.207/robots.txt , http://10.10.115.207/wp-login.php

<IP address of the machine>/robots.txt

I found these two objects

I downloaded the fsocity.dic which is a dictionary probably useful for brute force later.

First flag found <IP address of the machine>/key-1-of-3.txt

Moving to the next part of enumeration I found the login page of wordpress.

http://10.10.115.207/wp-login.php

2. BruteForcing

Brute forcing is done with the help of Burpsuite.

Steps : First I turned on the foxy proxy on firefox and intercepted the request using the BurpSuite.
I copied the whole request to intruder and uploaded the fsocity.dic as a payload. I made changes on the username and password and found the username and password after quite some time.
Username: Elliot
Password: ER28–0652

I logged into the machine from the credentials found above and started scanning the wordpress website. I looked at the hint provided in the description, I understood there is a need to upload the reverse shell using php reverse shells.

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Initially, I started the net cat on my machine, nc -lvnp 53 .
I copied the reverse shell in the archives folder. You can either use 404 Template or Archives. Anything that gives us the space to upload the php code will work. You need to make sure to change the IP address of the php reverse shell to your machine’s address. You can change the port to 53 since it is the DNS port and most likely to be open while spawning a reverse shell.

Press the edit button and you will get the confirmation about updating the contents.

Next hurdle is to run the php reverse shell. Screenshot attached below is the url you need to type in the search bar to run the reverse shell.
<IP address /wp-content/themes/twentyfifteen/archive.php>

crucial step to spawn the shell

3. Capture the user flag

I moved to the /home directory and found the robot user. I was not permitter to do a cat on key-2-of-3.txt .

So I cracked the md5 hash available through Crackstation. Switched the user to robot.

After that I was able to find the second key.

4. Privilege Escalation

PE is done through SUID BIT .
find / -perm +6000 2>/dev/null | grep ‘bin’

I saw the hint was related to nmap , so I went to GTFP bins to see how privilege escalation is done. I followed the two steps.
1. nmap — interactive
2. !sh

Woop woop!!
Directory traversal to root. Finally, I found my third and final flag.

Leave claps 👏🏽and follow me on medium for more CTF walkthrough’s.
Cheers!! 🥂

--

--

Kapish Kuchroo

Written by Kapish Kuchroo

56 Followers

Receiving and Perceiving misconfigurations in the computing systems

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams