Mr Robot likely needs no introductions, and in this room we’re going to tackle a CTF built around the theme of this hit TV series. This is rated suitable for beginners, and it doesn’t require too much outside-the-box thinking, so basic pentesting skills should be enough to get in and grab all three keys hidden inside the challenge.
What is key 1?
After firing up the machine we’ll proceed with the usual enumeration. Personally I like to take the lazy way and just access the IP to see if there’s a webserver running, and since we do get a hit, we’ll start looking around while leaving nmap scan running in the background.
The stuff we can find on the web page ties well into the TV show, but it doesn’t seem to be relevant to this challenge, and our nmap scan doesn’t return too much to go on with either, so let’s try Gobuster next to see if there’s more to the webserver than first meets the eye.
And indeed there is. The links/subdirectories with status code of 301 (redirect) aren’t that interesting, but those with 200 should be checked out. There are some neat Easter eggs here and there and I’ll leave those for you to find, but starting off with the fitting /robots directory we can see two strings which sound like files. Accessing those we’ll find both the first key in key-1-of-3.txt as well as a dictionary file which is likely to come in handy later down the road.
What is key 2?
Moving on we can see that there’s a WordPress site running on the server, and since we have the dictionary file we can put two and two together to figure out that it likely contains either the username or the password we need - or maybe even both.
We’ll quickly check ‘admin’, ‘administrator’ and ‘root’ as the login names, but none of them seem to exist on the blog so we’ll move forward in trying to find the username.
There are many ways to achieve this, but we’ll go with BurpSuite this time. First we’ll intercept the login request with the Proxy so that we can forward it into the Intruder. Since we only want to find out the username at this point we’ll clear all the positions and just add one to the username. Loading up the payload (the fsocity.dic file) we’re ready to go, and after starting the attack we’re just going to wait until we see a request with length that differs from the others.
It won’t take long until we notice that the string ‘Elliot’ has a length of 4120, and after facepalming due to the obviousness of it we can verify the validity of this account by trying to login with it and whatever password. The “ERROR: The password you entered for the username elliot is incorrect.” error message confirms that the account does indeed exist.
We can follow the same steps again to find the password, but instead of using the username position we’ll replace the username with the username we know and use the password position. Eventually we’ll come across the correct password which can be used to login to WordPress.
Looking around the blog we can find no posts, no pages, basically nothing apart from few images which seem to be rather unrelated. Even resorting to the hint of “White coloured font” didn’t really help me out that much, but eventually it clicked into place: we have access to a webserver, so we’re able to run a reverse web shell to get SSH access to the server itself!
Firing up a netcat listener, (lazily) adding a php-reverse-shell from GitHub as the 404.php page and then accessing the said page via URL wp-content/themes/twentyfifteen/404.php we’ll get a reverse shell to the host. We can use python3 -c 'import pty;pty.spawn("/bin/bash")' to upgrade the shell so that it’s a little bit nicer to work with, but mainly we’re interested in who the shell is running as, and where can we go from here.
The current user of daemon isn’t too interesting, so we’ll move on and check the /home directory to find just one subdirectory, robot. The directory contains two files; the next key and password.raw-md5 file. Little less surprisingly we can’t access the key just yet, but the password file gives us the username of robot followed by encrypted password. We can either use the dictionary file we possess and crack the password with something like JohnTheRipper, or take the lazy way out and use CrackStation to look it up. Either way works, and now we are able to switch to the robot user and cat the key-2-of-3.txt file. One more to go.
What is key 3?
At this point it’s easy to guess that the last key will require root access to the system, and a good place to start is to check if there are any binaries with SUID set. We can use the command find / -user root -perm -4000 -exec ls -ldb {} \; to get a list of binaries on the system, and one of them really stands out: nmap.
We’ll use GTFOBins to see if there’s something we could use, and indeed there is. Settling for the easy interactive mode we can run the command nmap --interactive to enter the mode, and then use !sh to launch a shell, which due to the SUID bit will launch as root.
Verify with whoami, and since we’re home free we can just cat /root/key-3-of-3.txt and pat ourselves on the back for a job well done.