Skip to content

Latest commit

 

History

History

mr-robot-ctf

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
images
images
 
 
README.md
README.md
 
 

README.md

Mr. Robot CTF

Scan the Machine

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Nmap Scan

Looks like we have two ports open: 80, 443

Let's check the webpage. The webpage is fascinating but nothing much to work with.

Run a GoBuster -> gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -t 50

It will take few minutes to finish and you will get a lot of directories. The important ones are:

  • /robots.txt
  • /license -> This is fascinating page, must check 😜
  • /login
  • /wp_login

ROBOTS.TXT

Robot.txt

  • key-1-of-3.txt: Open the file, there is your first key.
  • fsocity.dic: Download the file. I opened the file looks like a lots of words.

Total Words

LICENSE

Sorry! for wasting your time there.

LOGIN

It seems a redirection to wp-login.php.

Login Page

Putting pieces together:

  • Dictionary with a lot of Words.
  • Login Page.

Vola! We can bruteforce. Dictionary is a key/value pair, so it can have username and password both. Fireup your BurpSuite

We can bruteforce username and password together but the total combination will be to much. So first we will try username and then password.

  1. Intercept the reqeust.
  2. Send it to Intruder.
  3. Add only username.

BurpSuite

  1. Select fsocity.dic as a payload and start the attack.

Username

BAAM! Username found. It's Elliot (obviously).

Now that we have username, we can run the same attack for password. HEADSUP! I did that and it took like forever. Therefore, I recommend you guys to use Hydra -> hydra -l Elliot -P fsocity.dic 10.10.51.99 http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^: The password you entered"

You can get the log= part from the BurpSuite when you intercepted the request.

The reason is, it will take too much time as the password is at line 858,151. Password is ER28-0652 (this is Elliot's Employee Number)

Grep Pass

Log in with Elliot:ER28-0652.

Login

We have the access to the PANEL. Search around and look for something interesting.

After spending a bit of time around. I found an injection point as Image Upload. I tried different things but it was hard-coded. Later, I found the page edit option Appearance > Editor; which has .php file.

So can we can add reverse-shell.php in any of the pages. I will be using 404.php but you can also use any other .php.

404 Page

Paste the reverse-shell code and change the IP to your IP and the PORT.

Change Port

Before opening the page, start a netcat listener using cmd nc -lvnp 4444

Listener

Save the webpage and go to http://<IP>/404.php. You will see a connection. First things First, we will stable the shell using python -c 'import pty;pty.spwan("/bin/bash")'

Shell Stable

There is flag in /home/robot but we do not have permission to read it.

Cannot Read files

But we do have permission to read password.raw-md5 file.

Content

Looks like user robot and its password hashed as Raw-MD5. We can crack this using Crack Station or JohnTheRipper -> john hash.txt --wordlist=fsocity.dic --format=Raw-MD5.

Crack Station

I used Crack Station. Credential -> robot:abcdefghijklmnopqrstuvwxyz

We can login as robot using su command.

Robot User

Now that we have access as robot, we can read key-2-of-3.txt.

Key 2

Privilege Escalation

Didn't found anything interesting using sudo -l, so I tried looking for SUIDs using find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; | grep '/bin'

Reference -> PayloadsAllTheThings

SUID

Nmap is available, wonder if Hint was for this one. Go to GTFOBins and search for Nmap. I ran (b) script of Shell section.

SUID Nmap

You know what to do next 😜

Key 3