TryHackMe: Mr. Robot CTF Writeup
IP = 10.10.84.57*
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
A Mr. Robot themed machine (I haven't seen the series itself but I will watch it if I have some time to spare.) which involves getting a foothold in a Wordpress site using the sensitive file we will get on the web server. Without further ado, let's get started in hacking!
Scoping and Preparation
Connect to Tryhackme OpenVPN Server using:
sudo openvpn [.ovpn_file]
I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to
1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go
2. go build .
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]
You can also download the release binary by using
go install :
go install github.com/hambyhacks/CTFRecon-Go@latest
CTFRecon-Go if installed using
sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]
Preliminary Enumeration via nmap
Table 1.1: nmap Results Summary
Nmap result does not give so much information, so we need to proceed to enumerate the web server at port 80 and 443.
In the webpage, we can see that there are set of commands that we can use to see how the web server works.
Looking through the source code, we can see there are some
wappalyzer, we managed to enumerate the versions of technologies used the web server. The one that stands out is knowing that the webpage is running
By gut feeling, I typed in the URL search bar
robots.txt to see if there are some sort of directories we can look at and voila, we found some interesting files.
key-1-of-3.txt are listed on
robots.txt file. Type that in the URL search bar and download them. ( key-1-of-3.txt is the web flag.)
Let's look inside the contents of the file named
fsocity.dic. Just by looking at the file extension, I got some feeling that this file is a dictionary file that we can use for bruteforcing the login in webpage specifically in
/wp-login.php. But for the sake of completeness, we will check the contents of the file.
As shown in the image above, using the
file command does not give us anything useful. ( if there is something useful, don't hesitate to tell me. I am still a newbie and keeps on learning!)
Looking inside the contents of the file
fsocity.dic, it seems like a passwords list. Let's check how many lines does the file have.
Oof, thats a lot of line count to use in a bruteforcing tool such as
hydra. But we can check if those lines are duplicate and remove them. We can use the
sort -u fsocity.dic > [FILENAME_FOR_SORTED_fsocity.dic]
Let's check now if there are improvements for the file.
Phew! That's a relief! From 800k+ lines to 11k+ lines. We can now try to use this sorted file in a bruteforce tool such as
hydra and etc.
Before that, we can navigate through different endpoints in the web server.
Knowing that the webpage is running
WordPress, we can check the login page by visiting the endpoint:
We have dictionary for possible usernames and passwords for the machine but 11k lines of words will still take long for us to bruteforce. Since it is a
Mr. Robot themed box, the name of characters in the series must be one of the username used in the machine. Searching through google, I looked for the characters list.
Also by reading the wiki,
Elliot Alderson is the main character in the series. Let's try if
elliot is a possible user in the webpage.
The login form gives so much verbosity that confirms our guess that
elliot is a valid user in the webpage.
There are 2 exploitation paths we can use:
- bruteforcing the login page at
I used the method 2 because the exploits I found on github are outdated and written in
python2 which gives me a lot to troubleshoot. ( I am still learning how to code and will try to implement the exploit using Golang.)
We have a username and possible dictionary of usernames and passwords and we also know that the webpage is running
WordPress. We can now try to exploit the webpage by bruteforcing the login page in
Steps to reproduce
- Intercept the login HTTP request at
- At the bottom of HTTP request, copy the line that looks like login parameters. (ex:
hydra, we can now try to brute force the login form by using the module
https-post-form. I removed the parameter
Sas success string for
hydrato find if it successfully found the password.
hydra -l [USERNAME] -P [PASSWORD_LIST] [IP] https-form-post '/wp-login.php:log=elliot&pwd=^PASS^&wp_submit=Log In&testcookie=1:S=Location' -t 64 -I
S string looks for
Location header in the HTTP response if it successfully logged in the webpage.
5. After some time,
hydra managed to get the credentials for
6. We can now login through the webpage as
7. Still we do not have foothold on the internal machine.
8. I created a
.php file contains simple and not malicious code, phpinfo().
9. We can try to find some upload functionality to test if we can have a shell in the machine.
10. We tried to upload
.php file as media for the post but failed. We can try to confuse the filters and try to upload a
11. Yay! We successfully bypassed the upload filter! But the real question is, will it run?
12. Sadly, there is an error on our file, so we need to find another way to have foothold.
13. Looking at
/wp-admin/theme-editor.php, we can edit some code!
14. Let's try to edit some templates specifically
404.php which loads when the web server receives HTTP 404 error as response.
15. But where do we find the templates we just edited? Let's ask google!
16. We now know where it resides and the theme we are editing is named
twenty-fifteen. We can guess that the theme resides in
17. Since the edited
404.php file can be executed, we can try to edit again the file so we can gain a shell on the machine.
18. Using PentestMonkey's php reverse shell, I edited the
404.php to a reverse shell file.
19. Start a netcat listener at your specified port and navigate to
nc -lvnp [PORT]
20. Reverse shell should pop after navigating to
Table 1.2: Credentials
Table 1.3: Checklist for Linux Internal Enumeration
Notes: For more information about the commands look here
Navigating through the machine, we can see there is
python3 binary and also enumerated the users in the machine which has name
Let's look at the
/home/robot directory contents.
Using CrackStation, we managed to retrieve the password for
Such a simple but long password! We can now move laterally using
We cannot use
Using the checklist above, I looked first if there are
SUID binaries that we can use for privilege escalation.
nmap binary that has
SUID permissions! Let's check out GTFOBins to see if we can use this as a vector for privilege escalation. Which turns out we can!
To elevate our privileges:
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Copied the /etc/shadow file for user identification and their passwords.
Added another root user for easy access.
Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Feel free to reach out and if there is something wrong about the above post. Feedback are also appreciated! :D
Not required but appreciated! :D
Originally published at https://hambyhacks.hashnode.dev.