Mr Robot CTF
Hi Hackers,
This article requires the knowledge of linux, enumerating services ports. This box is completely for the beginner level challenge
Task 1 Connect to our network
- To deploy the Mr. Robot virtual machine, you will first need to connect to our network.
2. Connect to our network using OpenVPN. Here is a mini walkthrough of connecting:
3. Use an OpenVPN client to connect. In my example I am on Linux, on the access page we have a windows tutorial.
4..When you run this you see lots of text, at the end it will say Initialization Sequence Completed
5. You can verify if you are connected , by looking on your access page. Refresh the page
5.You are now ready to use our machines on our network!
6.Now when you deploy material, you will see an internal IP address of your Virtual Machine.
Task 2:- Hack the machine
To find the first flag, will start with enumeration by running nmap
#nmap -sS -sV -O 10.10.245.158
The port 80& 443 is open, which indicates the website is running
Open the web-server
As, we dont find any information, we will run gobuster
#gobuster dir — url http://10.10.245.158/ — wordlist /usr/share/wordlists/dirb/common.txt
- What is key 1?
Since, port 80 is open, we will directly check in “Robots.txt” file
By checking the robots.txt directory, we got 3 files
By checking the three files, we got the first flag in Key-1-of-3.txt
By checking the directories one-by-one from the result of gobuster.
In /dashboard we got a login page of wordpress
We continue searching in the directories of the gobuster
In /license directory we got a hash password
By decoding it to base64, we got the username & password for wordpress login
After logging in, In dashboard page we dont find any information, so will search in google for wordpress reverse shell
From the hacking articles i used the 2nd method of Injecting Malicious code in WP_Theme for shell reversing
Below is the link, you can refer
WordPress: Reverse Shell — Hacking Articles
In the dashboard page of worpress website, go to Appearance →Editor →404 Template
Download the php reverse shell code & extract it
Open the php-reverse shell.php in sublime text
Copy the code & paste it in 404 template
Change the ip address & port no. Set the ip addr as the kali ip
Start netcat & We will get a shell
#nc -lvnp 9999
In the home directory we got robot user. We will check the files of the robot user
The key 2 is permission denied.
So, we will get the information of the other file
In password.raw-md5 file contains the user name & md5 hash
Since, it is in hash format we will convert it into string format
Now we will login with robot user. There we will find the password for flag 2
3. What is flag 3?
Privilege Escalation
As we know, the last flag will be of root flag. We will escalate the privileges
#sudo -l
Here, the user is not running on SUDO, we will check with SUID & it also asks for tty
We will check for SUID set
#find / -perm /6000 -print 2>/dev/null | grep ‘/bin’
A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques do not work if you don’t run it with root privilege.
If Nmap has SUID bit set, it will run with root privilege and we can get access to the ‘root’ shell through its interactive mode
Here nmap is present, so we will check for shell in gtfobins. Before that we will spawn a shell using python.
#python -c ‘import pty;pty.spawn(“/bin/bash”)’
GTFOBins
Here we will use the (b) command to execute the shell
We will get root access.
I hope this blog helps you to understand the basic concepts.
Happy Hacking!!!
