Skip to main content

CTF - MrRobot Challenge Walkthrough

This is the another boot2root challenge based on the TV show mrRobot.
This VM has three flags/keys on different locations and to find them all, exploit the machine remotely and get into root shell.

PENETRATION METHODOLOGY:

  • NMAP
  • WPSCAN
  • DIRB
  • WGET
  • METASPLOIT-FRAMEWORK
  • NMAP INTERACTIVE MODE

On service enumeration of the VM, we get multiple ports and services running.

As this result shows that HTTP service is running is running and on visiting the IP over http we get following page

On checking the robots.txt file, we get this page with two entries.
As viewing the entries, one of the file is first key and another file is dictionary for passwords. Downloading both files.

As now we run the 'dirb' to find directories on the web.

On the dirb result we found that the server is running wordpress.
So we know that the Elliot is the main person of the show, so let's try his name for the wordpress login.

Now try to crack this password using the fsocity.dic by wpscan that we found in robots.txt.

As we successfully cracked the password for the username Elliot as ER28-0652 and login with it and try to edit 404.php file with our malicious php payload.


On updating and visiting the non-existing page of the wordpress we get a php reverse shell in return as 'daemon' as user.

Now change to directory '/home/robot' and we found key-2-of-3.txt. On reading this file, we are not able to read. As viewing the permissions we found that only the root can read this file. Their is another file password.raw-md5 which we are able to read. On reading this file we found the root user and password encrypted in md5, so we are trying to decode this hash.

Now try to login with the username and password we just cracked we got the robot as our user.

Now, to be the root user we find the file which have root user privileges.
We found that the nmap is installed and has root user privileges.
As we check that the nmap version is vulnerable to local privilege escalation vulnerability we could run the shell as root using nmap interactive mode.
As we are root and cd to /root directory we find out the key-3-of-3.txt file and read.

We Successfully completed the CTF Challenge.

Challenge Completed by - M4TRIX_H4CK3R

Comments

Popular posts from this blog

Bypass Ubuntu Login Screen

Here is the new post on the series of the bypassing of the login screens of the different Operating Systems . In this post, we are going to bypass login screen of the 'Ubuntu 16.04 LTS' . This method is basically works on all Ubuntu . Here is the screen of the Login of the Ubuntu 16.04 LTS which we are going to bypass. STEPS:- Steps 1 :  First restart the system and load the GRUB menu by holding SHIFT  key when the BIOS  loads. After that selects ' Advanced Options ' and you will get this menu. Steps 2 :  Then selects recovery mode on the above menu and you will get the following menu. Steps 3 :  Then selects the root menu and you will dropped into root shell of the system. Steps 4 :  Then run the following commands: mount -rw -o remount / passwd <username> After the successful completion of the command, you have successfully changed the root password of the system. You find the root username of the system by changin...

Bypass Kali Linux Login Screen

This is the another post of the Operating System Login Mechanism bypass series. In this post, we are going to bypass the login screen of the Kali Linux that works on all Kali rollings. This is method is slightly different from the method of the Ubuntu. STEPS:- Step 1 :  First, boot the Kali rolling and you will find the GRUB Menu of the KALI. Step 2 :  Then press 'e'  key to load the GRUB. Step 3 :  After that, replace 'ro'  to 'rw'  and 'init=/bin/bash'  at the same line and press 'F10'  key to load with this GRUB file. Step 4 :  After the boot, you will dropped into the root shell of the system. Step 5 :  Now, type 'passwd root'  command and enter the new unix password twice of the root user. Now, Reboot the system and boot normally and you are able to login to the root account of the Kali-rolling with the new password. Post written by - M4TRIX_H4CK3R Author  -  https://en.gra...