CTF - Mr Robot Walkthrough

Table of Contents

This is my walkthrough of the MrRobot CTF room. This is available both on both tryhackme.com and vulnhub.com

First I started with an Nmap scan using -sV scaning for versions and sC for default scripts. The results I found was that port 22 (SSH) was closed and port 80 and 443 are open. “nmap -sC -sV 10.10.191.235

Image1

With this information I also decide to n gobuster.

gobuster dir -u 10.10.191.235 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Image1

From this I find two interesting results being wp-admin and robots.txt aswell as a few others however these two proggressed me throught the CTF.

Image1

In robots.txt we find fsocity.dic that I find to be a wordlist and my first key, key-1-of-3.txt to view this I use curl to view the key file and wget to download the wordlist.

curl 10.10.191.235/key-1-of-3.txt

Image1

wget 10.10.191.235/fsocity.dic

Image1

Next I go to the wp-admin page when u give an incorrect username is entered it responds differently when correct and incorrect usernames regardless to correctness of the password. So what I first do is get the username and password field from burp suite.

Image1

Now that I have found this I use hyrda to first find the username haivng the password as a Constant value. With this we find the results Elliot as username.

hydra -L fsocity.dic -p pencer 10.10.191.235 http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.191.235%2Fwp-admin%2F&testcookie=1:F=Invalid username”

Image1

Then we do the same having the user as the constant so -l Elliot and -P fsocity.dic as lower case is for exacts and upper case is for wordlists.

Image1

From here we have the Username and Password being Elliot and ER28-0652 and I use this to login to the wordpress website. From here I use a php reverse shell from revshell.com I choose the 404.php template. Then use nc -lvnp 9001.

revs

From here I upgraded the simple shell to a function shell using the python pty module. This lets you spawn a psuedo terminal that can fool commands like su into thinking they are in an actual terminal.

python -c ‘import pty; pty.spawn("/bin/bash”)’

shell

After navigating the file system in the home/robot directory I find two files key-2-of-3 and a md5 password hash I try and read the key file however I dont have the permissions so I first reverse the hash and find the password. I assume this Hash is a password for super user. After cracking the hash I find the password to be abcdefghijklmnopqrstuvwxyz and use ths.

Writing still in Progress Sorry! Check Back later!