Mr Robot CTF

Today I had a time to check Mr-Robot CTF created by Leon Johnson. It was pretty cool CTF, you should definitely try it. :] Below you will find the details about how I solved it. Here we go...

As usual when machine is ready I started my scan, nmap:

More detailed scan:

Ok, let's check that WWW:

Few results I tried:

Found link was not the case I think:

Checking next link found by dirb:

Next one:

And few hints from MrRobot ;>

More:

...and more...

...checking more results from the scan:

[:

More people in the room...

... so I decided to go back to our www-shell:

View the source:

So yes, we have some more info about the Wordpress... Back to dirb-results:

I downloaded both file to my Kali box:

Checking the content(s):

More link to gather some details?

I also found other interesting file - in /admin/robot:

Checking:

Looking what's inside the directory:

I decided that maybe wpscan will reveals some more details (I was looking for some RCE or SQLi bugs for the plugins installed there). This is what I found:

In the middle of time I was checking the password for /wp-login.php. Details you'll find below:

I decided to use fsocity-file (but this time I decided to switch to Burp):

After a "while" I wasn't sure if the username 'admin' is good. Next guess was elliot... (anderson/mrrobot/and so on...) checking then:

This was a little bit longer but finally we've got it:

Checking:

Looks good, so my next step was to create a small www-shell (similar idea was used in Napalm), check it out:

New content (for 404.php) will be now:

Checking:

Good. :]

Let's get some more details about the machine:

Oh, Bitnami :] looks familiar [1,2,3,4] ;] So I think it's a good time to shell:

(What's this:

Cool :] Ok... )

Maybe the config of Wordpress is the hint?

Well, I don't know now. I was wondering why my reverse-shell is not saved on remote host...

After a while I found that I can write to /wp-content/ directory - that was the key:

Looking for other interesting file I found robot user in /home directory with the following files:

More details - Wordpress users:

Ok, my php-shell file is already there but why there is 0 size?

The answer was simple - this was similar scenario of 'protection' like we saw in last cases. Idea to bypass was: base64 for the rever-shell.php, wget it to target machine, and de-base64 the content of the file to another-new-php shell. See below:

Results:

Spawning pty to get a better view:

Good but we still can not grab the 2nd key. Let's check this md5 hash:

Checking if this is a valid robot's password:

Great, we are now the new user - robot. Key should be possible to read:

When you will look around for some privilege escalations, I think the easies one will be to find the root-exploit for kernel... but the other one will be to check nmap's permissions (here you will find nice post about it):

Let's try:

Great ;]

Sometimes I like to verify the root-access by reading shadow file, so...

... you can also check .bash_history to see how the machine was prepared.

The final 3rd key:

I must say that this was very nice CTF. Not so hard as I thought at the beginning but very good to check anyway. :]

Big thanks goes again to the author as well as to the VulnHub for hosting all of those games!

Cheers
o/