Mr Robot CTF
Mr Robot is one of my favorite tv series, I've watched more than 5 times every season :) This CTF has 3 flags that we must find, let's start.
Accessing the ip we have a site with a terminal where we can execute certain commands but there is nothing useful here for us. So we start by enumerating the ports and services with nmap but not returning anything interesting. Then I use FFUF to enumerate directories.
While the command was running in the background I have the habit of always looking at the robots.txt directory. Accessing it we find two files, a wordlist and a key with our first flag!
I download both files and now just read the key-1-of-3.txt and we get our first flag:
To find the second flag, after finishing FUFF you will have found the wp-admin directory. Accessing we have the wordpress login panel:
Here it is very clear what we need to do :) Let's perform a brute force attack using that fsociety.dic file we found earlier.
To perform the brute force I will use wpscan. Just use the following command (remove the “ ”): wpscan --url 10.10.240.155 --passwords “wordlist” --usernames “wordlist”
A few minutes later we find our username and password. After logging in, we'll send our reverse-shell, to use the same one I used, just click here.
To send our shell, go to Appearance-Editor and select some php page, delete everything and paste our shell (don't forget to change the ip and port).
Just click the Update File button below to save your changes.
Using netcat listening to the port we defined in the reverse shell, just access the page that we changed and so we get our shell :)
Accessing /home we see that there is a user called robot and inside it we have two files: The flag 2 and an MD5 password
The only file we have access to is the password, accessing the file we have the password in MD5:
Cracking it, we get the robot user password.
And now we access the user robot.
Now we can read the key-2-of-3.txt file and get our second flag!
To get the third flag we have to gain root access on the machine. And to scale privileges let's use nmap:
Let's use nmap's interactive mode to escalate privilege.
Accessing it with the command nmap --interactive we get root :)
And finally we got the last flag!