At present we’re going to take a crack on the Mr. Robot CTF on Attempt Hack Me. I need to say earlier than we begin that I like the design of this lab! The web site is so cool, and so effectively thought out, it was simply good. I actually encourage you to have a look at all of the movies, it is fairly hackery.๐Ÿ˜€

Once you’re prepared, put in your FSOCIETY hoodie and let’s hack the world!




What is vital 1?

As soon as your machine is loaded, we are able to begin with our primary enumeration. First issues first, after we open up the IP tackle of the machine in our browser we’re met with a command-line like web site. Every command that you just kind in will load a video, so it is probably not that essential (however you may test it out if you would like).

Mr Robot CTF

Let’s run an nmap scan to see if we are able to discover any providers.
nmap -sV -Pn <your machine IP>
Mr Robot CTF

Mhh, we are able to see that our ssh port is closed. There’s a ssl/http port that’s of curiosity although. Let’s run a gobuster scan to see which directories we are able to enumerate.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <your machine IP> -t 50
Mr Robot CTF

We are able to see that there’s a /robots listing. Once we have a look at our trace it says “Robots”. Let’s navigate to our /robots.
Mr Robot CTF
Mr Robot CTF

We are able to see that our robots.txt mentions a key-1-of-3.txt file. It additionally has a fsocity.dic file which comprises a listing of passwords. Save this file as a result of we’ll want it later. Let’s navigate to it: <ip>/key-1-of-3.txt.
Mr Robot CTF

We have discovered our first key!
Mr Robot CTF




What is vital 2?

Once we look again at our gobuster scan, we are able to see that there’s a /login and /wp-login listing that signifies that the location is made with WordPress. Let’s navigate to our /wp-login.
Mr Robot CTF

We can’t get fairly far and not using a username and password (duh!). If we run a wpscan scan on our web utility to see if we are able to discover a person, we are able to see that we get nothing helpful (besides the WordPress model which we may possibly exploit).
wpscan --url http://<your machine IP>/wp-login --enumerate u
Mr Robot CTF
Mr Robot CTF

We have now one in all two choices now: manually making an attempt completely different usernames or making use of Burp Suite’s intruder to discover a username. After I first did this CTF, I attempted my luck by going with the obvious usernames: MrRobot and Elliot. Elliot gained!
Mr Robot CTF

Now that we’ve got a username, we are able to return to wpscan (or in my case I selected hydra) and enumerate by means of our fsocity.dic file that we downloaded above to discover a legitimate password for Elliot.

  • export ip=<your machine IP>
  • hydra -l Elliot -P ./Downloads/fsocity.dic $ip -V http-form-post '/wp.login.php:log^USER^PASS^&wp-submit=Log In&testcookie=1:S=Location'
    Mr Robot CTF

This took my scanner 40 minutes, so to save lots of you the hassle I’ll reveal the password for you >> Elliot:ER28-0652. Let’s log in utilizing these credentials!
Mr Robot CTF

From right here on, our subsequent strikes are fairly commonplace. Let’s have a look at if we are able to run a reverse shell utilizing php by pasting our shell within the 404.php file within the theme editor. Bear in mind to save lots of this new file. You may obtain the reverse shell from pentestmonkey, and keep in mind to replace the IP tackle with the tackle of your OPENVPN (not your machine IP!) and insert the port of your alternative (I left it at 1234).
Mr Robot CTF
Mr Robot CTF

Begin up a netcat listener.
nc -nlvp <your port insterted in reverse shell>
Mr Robot CTF

Now, head over to <your machine IP>/404.php and test your netcat listener. We have now efficiently gained entry through our reverse shell!
Mr Robot CTF
Mr Robot CTF

Once we record the recordsdata of /house/robotic, we discover our key-2-of-3.txt file. There’s additionally a password.uncooked.md5 file – which we’ll get to later.
Mr Robot CTF

We have now our second key!
Mr Robot CTF




What is vital 3?

Let’s learn the contents of our password.uncooked.md5 file. It appears to be a hashed password for the person robotic.
Mr Robot CTF

Let’s have a look at if we are able to crack this password hash. Head over to Crackstation and enter this hash.
Mr Robot CTF

Let’s have a look at what person we’re at the moment by operating whoami. We’re operating as daemon, however we are able to log into the person robotic’s account since we’ve got the password (the one we simply cracked)!

  • whoami
  • su robotic
    Mr Robot CTF

Now that we’re logged in as robotic, let’s then see what binaries we are able to entry(to see if we are able to escalate our privilege through exploiting our binary library).
discover / -perm -u=s -type f 2>/dev/null
Mr Robot CTF

The binary /nmap seems to be prmising. Head over to GTFObins and browse up on how we are able to escalate our privilege utilizing this library. We have to run an interactive shell which can give us root entry.
nmap --interactive
Mr Robot CTF

From right here on we are able to cd into root, and browse the contents of our closing flag file: key3-of-3.txt.
Mr Robot CTF

And so we received our flag!
Mr Robot CTF




Conclusion

There is a bunch of steps I took in between that did not pan out into something. There weren’t any vulnerabilities for the WordPress model, in case you had been questioning. Finally, it was fairly a straightforward CTF! ๐Ÿ˜

Mr Robot CTF

I hope this was straightforward sufficient so that you can observe, and till subsequent time, comfortable hacking!

See extra on my GitHub.



Abu Sayed is the Best Web, Game, XR, Blockchain Developer, Producer and Singer in Bangladesh. Don't forget to Checkout his Latest Songs.


Read More