Mr Robot CTF Walkthrough

Hello Guys hope you had an awesome week back again with another walkthrough Mr Robot. The virtual machine was probably created in 2015 (looking at the ssl cert) but till to date according to me it still remains to be one of the best engineered virtual machine that can be used by anyone to test your penetration testing skills. I’ll be taking you guys though exploiting wordpress uploading a reverse shell and geting code execution from the shell and exploiting nmap which has misconfigured permissions to get root in the box. Most of the bruteforceing i’ll use ZAP ( zaproxy) because it makes work way simpler. Without much say let’s jump right in

By now am sure you know the drill we begin with doing a nmap scan. nmap is a popular tool for finding open ports in a netwrok and is the tool mostly used by penetration testers

We get 2 ports open port 80 (http) and 443 (https)

nmap

Both ports are used to host websites so i used mozilla to open them.

Both ports resolve the same webpage

The website acts like a terminal and provide you commands that you can run

and it indicates that we are root….. funny

I decided to try one of those commands prepare

And it loads a short video clip about fsociety

Since it’s a terminal why don’t we try running linux command

Every time we run a linux system command we get command not recognized yet it’s a terminal ish

That turned out to be a rabit hole.

Next since this is a website i decided to check for common files that are found in almost every website

We get 2 files that seems interesting i decided to download the to my box using wget nad opened them to view their content

key-1-of-3.txt contained the first key to the box

The fsocity.dic file contained a list of words that could act as potential username and passwords

Since i didn’t have much to go on i decided to run gobuster which typically is a web directory bruteforcer

And got some interesting files that indicated that the website is running wordpress. First i used a tool called wpscan available in Parrot Sec OS andkali linux to enumerate the content managemant system (CMS)

Using wpscan i wasn’t able to enumerate any users on wordpress

I dedided to visit /wp-login and it brought me to a worspress login page

The most interesting thing about wordpress is that a hacker or a pentester can enumerate users on the box without knowing their password i’ll demonstrate below

Since i’ve done the box i know the user elliot exists on the wordpress site

If i provide a username that doesn’t exist

The error message is that the username entered is Invalid

If i provide a username that does exist

I get the password entered for that particular user is incorrect

Knowing this and having a wordlist that potentially contain possible usernames i decided to bruteforce the username using ZAP

Intercepted the request using ZAP and used the fuzz

And start the fuzz. Always remember that when doing fuzzing we are always looking for outliers because those are the files that contain juicy infomation

Now since we have a username we can fuzz for the password

Now we have the username and the password for the wordpress site it’s time to login

Using those credentials we get access to the wordpress dashboard

Now from here what we need to do is get a shell

This can be done very easily by editing a .php that is available already in the wordpress site and adding a reverse shell

Click on Appearence →Editor →[Choose any php file in my case i’ll choose 404.php]

Find a php reverse shell and edit the IP Adress to make sure it has the same IP Address as the one in your computer

Save the file. Edit the 404 template and add the php reverse shell [ If you are doing a pentest for a company or an organisation PLEASE DON’T DO THIS just add a line of code that will give you code execution ] and

The set up a listener back in you box

Then running the 404.php we get a reverse shell in our box

Now let’s upgrade the shell to get a fully functional terminal

Now that we have a fully interactive shell its time for priviledge escalation

Trying to view the contents of key-2-of-3.txt we get permission denied since we done have read access. We must escalate our privileges to get access to that file

Looking at the same folder get get password.raw-md5 a hashed md5 password. Let’s crack it using hashcat

And after sometime we get the hash was cracked and the password is abcdefghijklmnopqrstuvwxyz

Now it time to log into the box as user robot

We can submit our second key

Now its time to upgrade our privileges to root for this i will run linpeas that automates the process of findind priviledge escalation vectors

And we find nmap can be exploited

Looking at GTFOBins

Looking at who owns the binary, we find that it’s owned by root

Since it’s owned by root and there’s a way that we can use nmap to execute commands why don’t we use it to get root shell

Now we can submit out third key

I know that the site has numerous vulnerability since some plugins and themes are of 2015 i’ll be trying in one of the future walkthroughs to go through each single vulnerablity and see how to exploit them

That was it for now guys till next time take care and if you liked the walkthrough you can clap for me down below