TryHackme:Mr Robot CTF

This is the walkthrough of Mr. Robot CTF which is a medium-level CTF on tryhackme

Task 1: No answer needed


Task 2:

First did a Nmap scan of the provided IP address.

There is a web server running on port 80, so enumerated directories or files on it using the dirb utility

Here robots.txt is the most interesting one so visited it on the browser here we got our first key and a list.

There is key-1-of-3.txt which we will visit on our browser

What is key 1?

073403c8a58a1f80d943455fb30724b9

We also found fsocity.dic which when pasted on url downloaded.

As I have no idea what is the use of this wordlist, I just visited different directories and found:

that fsocity.dic might contain a username for this login page.

The good thing about WordPress login is different errors are generated if we enter the wrong username v/s if we enter the right username but the wrong password.

We can get the help of Burpsuite to brute force this process:

Add $ before username to enumerate different usernames

then upload that fsocity.dic file as the payload

then press "start attack" to start brute forcing and this is the result we got.

Some usernames will be of different lengths than others, they might be the correct usernames for us.

For the Username "Elliot" we got this error which will help in getting the correct password

Now we are sure that Elliot is the correct username but we need to find its password for that we can use wpscan, hydra, and burp suite (thanks to chatgpt) .

Now starting brute force for gaining password :

hydra -l Elliot -P fsocity.dic 10.10.248.61 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.173.91%2Fwp-admin%2F&testcookie=1:The password you entered for the username"

From this we got our password as ER28–0652

After login, we can set a reverse shell connection to our local machine using this guide

WordPress: Reverse Shell

then pasted the reverse shell of php from :

php-reverse-shell.php

as guided on the "WordPress: Reverse Shell" site. then Update the file and browse the following URL to run the injected php code:

http://10.10.36.125/wordpress/wp-content/themes/twentyfifteen/404.php

Start a Netcat listener on your local machine and refresh the above link.

After gaining access I found a second key in /home/robot directory but was not able to read it but found a password.

saved in the local machine and cracked it using John the Ripper

and we cracked the password, now we can switch to robot user and will be able to read the second key.

What is key 2?

Now we can read that second key: 822c73956184f694993bede3eb39f959

To get the third key we need to log in as root users, so it's time to elevate the privileges.

To find out what types of permissions we are assigned:

as we can not check that now list all suid files and check on gtfobins for any bypass.

Searched on gtfobins and found that Nmap binary may give an interactive shell

What is key 3?

04787ddef27c3dee1ee161b21670b4e4