Open in app

Sign in

Write

Sign in

TryHackMe MrRobot CTF Walkthrough

Brittany Morris
6 min readMar 2, 2021

--

SPOILERS AHEAD!

Things to remember: Watch your time on HackTheBox and make sure you don’t run out of time or you will get a completely new IP address the next time you start it!

Run Reconnaissance Scans

I make a point to save all my reconnaissance scans as text files just in case I close the terminal or something happens I can always go back and review them.

dirb http://10.10.91.123 /usr/share/dirb/wordlists/common.txt -r -o dirbmrrobot.txt

nikto -h 10.10.91.123 -output niktomrrobot.txt

sudo nmap 10.10.91.123 | tee nmapgenmrrobot.txt

After completing the reconnaissance scans I reviewed them and found the following that could lead to something of use.

dirb shows the presence of:

  • /readme : dead end
  • /wp-login : wordpress log in page
  • /robots.txt

Under Robots.txt

  • fsocity.dic : a dictionary of what appear to be passwords
  • key1-of-3.txt : the flag for key 1

Key 1

Under 10.10.91.123/robots.txt we find two files. When you go to 10.10.91.123/key-1-of-3.txt you get 073403c8a58a1f80d943455fb30724b9. Key 1 done!

After finding key 1 I move my attention to the wordpress log in site. I tried a few obvious options like admin / admin and got the error invalid username. Then being a fan of the show I figured I would try elliot / fsociety which gave me the error “The password you entered for the username elliot is incorrect.” This type of error then lets me know that elliot is a valid username and now I can use the wordlist downloaded to run a hydra attack.

Before running a hyrda attack lets organize the dictionary of words to make sure we don’t have duplicates. First we will start with a line count:

wc -l fsocity.dic

This shows us the file has 858,160 lines. From there lets sort it and remove the duplicates using:

sort fsocity.dic | uniq > elliotpass.txt

Now we will check if there were duplicates:

wc -l elliotpass.txt

The elliotpass.txt file is showing 11,451 lines! So we were able to remove duplicates and that should help make the hydra attack a bit more efficient. Using the inspect element toolbar in the firefox browser I was able to send a post request with a password I know would fail and that gave me all I needed to be able to create a Hydra Attack.

Note that it isn’t neccessary to include -vV (very verbose) in the hydra attack, I just do this so that I can see that it is working. -l will be the username and -P is the wordlist you want hydra to use for the scan.

hydra -vV -l elliot -P elliotpass.txt 10.10.91.123 http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.91.123%2Fwp-admin%2F&testcookie=1:The password you entered”

The password returned in the hydra scan around mid 5,000 attempt mark was ER28–0652. We try that and successfully get in! From here we can add a page that contains a reverse shell and should be able to gain access. First we will go to Appearence> Editor and pick one of the templates. I picked 404.php. I replaced the code present with the reverse shell code. In kali under the directory /usr/share/webshells/php you are able to find php-reverse-shell.php and we will use this script to create our shell. So I will open this file and copy and paste it into the page on the wordpress site remembering to change the ip and port in the beginning of the code. From there you set up a listener using:

nc -nvlp 5521

Then we attempt to view a page we know doesn’t exist to trigger the 404 error page. The page I visited was 10.10.91.123/admin/blog. The page hangs like I want it to and now in my terminal I am able to navigate the system.

From here I will check if I can access the etc/passwd and etc/shadow files. I was not able to access the shadow file but did get passwd.

The next spot I will check is the home directory for the user. I am able to find key-2-of-3.txt and a password.raw-md5 file. When attempting to cat the key file I get permissions denied. When attempting to cat the password file I get robot:c3fcd3d76192e4007dfb496cca67e13b.

I will take this hash and run it through crackstation.net. Luckily this is a hash that has been solved before.

I was able to get the password of abcdefghijklmnopqrstuvwxyz. Now that we have a password we can try to log in as robot. When attempting to su into robot I get the error that it needs to be run on a terminal. Which means I need to get a shell. So now we need to get a shell by running:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now we run:

su robot

Key 2

When prompted for the password we enter the above cracked hash password and we gain access to robot. From here we will navigate to the home directory and cat the key-2-of-3.txt and get the key 822c73956184f694993bede3eb39f959 .

Key 3

Now on to Key 3. I spent quite a bit of time trying to navigate my shell to finally give in and look at the hint to find just the word nmap. So after a bit of research I came across the fact that you can use nmap as an interactive shell if the version isn’t secure. Luckily enough the version on this machine wasn’t secure. So I went into an interactive shell and into the root directory and found the 3rd key of 04787ddef27c3dee1ee161b21670b4e4 .

Now we have all 3 keys and can count this box as completed!

Tryhackme Walkthrough
Mr Robot
Hacking
Ethical Hacking
Cybersecurity

--

--

Brittany Morris

Written by Brittany Morris

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams