Hello Guys!
Today we will discuss the Mr.Robot CTF on TryHackMe.com
The Room was Simple and Fun. It contained a Wordpress Website, the Goal was to Root the System.
URL: Mr Robot CTF
Difficulty: Easy
Author: Ben
The first Step is to Enumerate the System. Below we see the Nmap Scan Results.
As we can see, the Port 80 is open and assigned to a Web-Server. As we check out the Website,
we get a Mr.Robot themed Terminal, it appears to be a rabbit Hole.
Since we got a Website, I ran Gobuster with the “/usr/share/wordlists/dirb/common.txt” wordlist against the
Site. Here were all the Results I got:
I got robots.txt as a Hit. The robots.txt, also known as the Robots Exlucion Standart Protocoll, is a Text-File which specify, which
Directories can be readed and which not. The so called “Crawlers” from Web Browsers, always search for the
robots.txt File when calling a Website, that way the Browsers know which Directories they are allowed to Display.
I got the Directory key-1-of-3.txt in the robots.txt File. In the Directory I found my First Key.
As you may also saw, there was a /login Directory displayed on Gobuster. As we navigate to it,
we can see, its a Wordpress Website.
I got a txt File from the Room before, it contained the Password. The File had a lot of Words in seperate Lines in it. All I had to do was to
use the Command uniq with the parameter -u to sort out the File. I got 8 Entrys left in the Output, one of them had to be the Password. The Password was
ER28-0652.
As we got no Username, we could either start a Dictionary Attack with common Usernames, start a Bruteforce Attack. As we know, this is a Mr. Robot based
Room, so I tried Names from Characters. Turns out the Username was Elliot.
We now successfully gained access to the WordPress Panel.
In there, I enumerated further for more Informations. I found another User called michi05654. Turns out that this User (Subscriber) wasnt relevant.
Since I got Access to the Plugin Manager, I simply uploaded a PHP Reverse Shell Script.
Now there were two ways, either I uploaded a completley new Plugin or I change a existing one. I setted up a Netcat Listener on Port 4444, edited an existing Plugin and successfully
got a Reverse Shell.
As we can see, we are a so called “Daemon”. A Daemon is a process that runs in the background and performs a specified operation at predefined times or in response to certain events.
I imported Python and spawned the Bash Shell with the following Command:
The Next key was located in /home/robot. It was a MD5 Hash, so I cracked it with Hashcat and the famous rockyou.txt.
To obtain the 3rd and last Flag, I had to get Root Privilleges. I used the Command nmap –interactive followed by !sh to obtain a Root Shell.
I could easily navigate to /root and get the last Key.
