Mr Robot CTF

Run a nmap scan to find for open ports.

Run dirb to scan for website directories.

Download the fsocity.dic file (contains a list for bruteforcing) and head to key-1-of-3.txt to find the first flag.

Capture the request in Burpsuite.

“log=admin&pwd=test” this parameter is needed for the bruteforce attack.

Forward the capture and an ERROR message is found.

Star up hydra with the following command:

hydra -L /home/kali/Downloads/fsocity.dic -p test http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username" -t 30

Use the userlist from the dictionary found in the beginning. The password is just a test. The http-post-form inputs are taken from the burpsuite capture and add “Invalid username” to filter out the user list.

User Elliot is found.

Now the user is found let’s bruteforce the password with the dictionary list with WPSCAN.

password found

Head to the editor and insert a php reverse shell in one of the pages.

Start up the listener an access is gained.

Use a password hash cracker to get the password

Use python -c ‘import pty; pty.spawn(“/bin/bash”)’ to launch a shell and switch user to robot.

The second flag is gained.

Gain root access by exploiting nmap

The final flag is gained.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s