CTF - Mr Robot Walkthrough
Table of Contents
This is my walkthrough of the MrRobot CTF room. This is available both on both tryhackme.com and vulnhub.com
First I started with an Nmap scan using -sV scaning for versions and sC for default scripts. The results I found was that port 22 (SSH) was closed and port 80 and 443 are open. “nmap -sC -sV 10.10.191.235
With this information I also decide to n gobuster.
gobuster dir -u 10.10.191.235 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
From this I find two interesting results being wp-admin and robots.txt aswell as a few others however these two proggressed me throught the CTF.
In robots.txt we find fsocity.dic that I find to be a wordlist and my first key, key-1-of-3.txt to view this I use curl to view the key file and wget to download the wordlist.
curl 10.10.191.235/key-1-of-3.txt
wget 10.10.191.235/fsocity.dic
Next I go to the wp-admin page when u give an incorrect username is entered it responds differently when correct and incorrect usernames regardless to correctness of the password. So what I first do is get the username and password field from burp suite.
Now that I have found this I use hyrda to first find the username haivng the password as a Constant value. With this we find the results Elliot as username.
hydra -L fsocity.dic -p pencer 10.10.191.235 http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.191.235%2Fwp-admin%2F&testcookie=1:F=Invalid username”
Then we do the same having the user as the constant so -l Elliot and -P fsocity.dic as lower case is for exacts and upper case is for wordlists.
From here we have the Username and Password being Elliot and ER28-0652 and I use this to login to the wordpress website. From here I use a php reverse shell from revshell.com I choose the 404.php template. Then use nc -lvnp 9001.
revs
From here I upgraded the simple shell to a function shell using the python pty module. This lets you spawn a psuedo terminal that can fool commands like su into thinking they are in an actual terminal.
python -c ‘import pty; pty.spawn("/bin/bash”)’
shell
After navigating the file system in the home/robot directory I find two files key-2-of-3 and a md5 password hash I try and read the key file however I dont have the permissions so I first reverse the hash and find the password. I assume this Hash is a password for super user. After cracking the hash I find the password to be abcdefghijklmnopqrstuvwxyz and use ths.
Writing still in Progress Sorry! Check Back later!