axroot

Mr. Robot CTF Writeup

Introduction

Mr Robot is one of my favorite tv series, I've watched more than 5 times every season :) This CTF has 3 flags that we must find, let's start.

~$ cat First_Flag

Accessing the ip we have a site with a terminal where we can execute certain commands but there is nothing useful here for us. So we start by enumerating the ports and services with nmap but not returning anything interesting. Then I use FFUF to enumerate directories.

While the command was running in the background I have the habit of always looking at the robots.txt directory. Accessing it we find two files, a wordlist and a key with our first flag! Then we download the two files:

  • key-1-of-3.txt
  • fsociety.txt
wget IP/key-1-of-3.txt
wget IP/fsociety.txt

After downloading both files and reading key-1-of-3.txt we get our first flag.

~$ cat Second_Flag

To find the second flag, after finishing FUFF you will have found the wp-admin directory. Accessing we have the wordpress login panel:

Wordpress Login

Here it is very clear what we need to do :) Let's perform a brute force attack using that fsociety.dic file we found earlier. To perform the brute force I will use wpscan

wpscan --url 10.10.240.155 --passwords fsociety.dic --usernames fsociety.dic

After running the command we get the password and the username. Now we can access the panel. After logging in, we'll send a php reverse-shell.

To upload our reverse shell, go to Appearance-Editor and select some php page, delete everything and paste our code (don't forget to change the ip and port). After just click the Update File button below to save your changes.

Wordpress Appearance Editor

After just click the Update File button below to save your changes. Using netcat listening to the port we defined in the reverse shell, just access the page that we changed and so we get our shell :)

Reverse Shell Upload

Accessing /home we see that there is a user called robot and inside it we have two files: The flag 2 and an MD5 password

/home Files

Accessing /home we see that there is a user called robot and inside it we have two files: The flag 2 and an MD5 password.

Now we need to crack the MD5 password of the user robot. Cracking it, we get the robot user password and now we access the user.

Robot User Login

Now we can read the key-2-of-3.txt file and get our second flag!

~$ cat Last_Flag

To get the third flag we have to gain root access on the machine. By doing the enumeration we can see that it is possible to use nmap to escalate privileges:

find / -user root -perm -4000 2>/dev/null
Nmap Privilege EscalationGTFObins Nmap

Let's use nmap's interactive mode to escalate privilege.

nmap --interactive
nmap> !sh
Root Shell

Now we can read the /root/key-3-of-3.txt file and get our last flag!