This is a write-up of the Vulnhub CTF “MR. ROBOT”
created by Leon Johnson: Twitter: @sho_luv
This CTF will require you to capture three flags scattered throughout the machine.
I have already completed this CTF in the past and I think it is a great beginner CTF. I’m going to try to show different methods at each stage to show there are many attack vectors that can be exploited in this CTF. That way people trying them can see that there is more than one way around a problem.
STEP 1: Scanning and Enumeration
First we have to find the machine we are targeting. You can find the machine on your Host-Only Adapter using Arp-scan or Netdiscover.
The VM’s IP is 192.168.56.110. We can use this to gather further information on the target. Using nmap we can gather information on the targets open ports and services.
We see the machine has port 80 open and is hosting a website. We can learn more about the targets services using nikto. For this we will be using the tool Sparta. This gives us a lot of information on the website and what we can check out.
Here we see that nikto found some interesting URL’s.
This is most likely credentials that will be used later.
First Key Captured
In the robots.txt we’ve captured the first flag.
Now lets check out the dictionary file. Grabbing that and looking through it reveals a password list.
Opening this dictionary file we see the credentials we found earlier inside. Using this information we can visit the login page we found earlier using Nikto.
STEP 2: Logging into WordPress
We could use the credential we found earlier encoded in base64. But to show other potential option we could use the dictionary file to perform a brute force attack on the login page to find the correct credentials.
This can be down with Hydra for the username and then WPScan or Hydra for the password. Lets start with the username first.
Using Burp Suite we can view login pages response to the credentials admin admin.
With this response we know what to fill out for our http-post-form.
The response to the invalid credentials is “Invalid username”
Using Hydra we can attack the login page using the dictionary file found earlier. The username will be filled out each attempt with a line from the dictionary file. The password will simply be admin for now as we are just trying to find a successful username. The F= will tell hydra what string we expect on a failure and any response from the webpage that is not “Invalid username” would be a potentially successful username.
Using the username elliot we see that it is a valid username and a different response from the login page.
We can now do the same thing we did with the username but to find the password using the new response from the web page as well as the dictionary file from before.
So the password was ER28–0652. Which are exactly the same as the credentials we found in the license.txt. Another way to do this would be with the tool WpScan.
Using the username “elliot” we can attempt to login to the page using WPScan.
Both are valid methods for brute-forcing the login page but WPScan is specifically for WordPress sites and reveal more detailed information as well.
Now with the credentials we obtained using any of the methods above we can login to the page.
STEP 3: Reverse Shell
Here we see that the user we logged in is the administrator of the site. From here we can look for a way to get a reverse shell.
By editing the 404.php file we can force a 404 error on the site and get the page to execute the php we modified. Using NetCat we are listening on our own machine on port 1234 waiting for the site to connect.
STEP 4: Privileged escalation
If we navigate to the home page we see a user “robot” and they have a list of interesting files
The password file looks like its for the user robot with a md5 hash of their password. We can crack this hash using many different tools but for this write up I’ll focus on using Hashcat, JohnTheRipper, and an online crackers like Crackstation.
Let’s start using the easiest one, Crackstation. We can just paste the hash and let it do its magic.
Just in case and to demonstrate other methods here we can try it using JohnTheRipper and Hashcat as well. We will be using the wordlist rockyou.txt to find the correct hash.
All three methods give us the same result, a password of “abcdefghijklmnopqrstuvwxyz” Let’s use this to switch users to Robot.
Ran into a bit of a snag here since we aren’t in a proper terminal. I planned on doing this later but it seems we need to solve this right now. We can spawn a proper terminal using python.
Second Flag Captured
STEP 5: Root Access
From here we can assume that the final flag will be in the root directory so we wanna find a way to get root access.
Here we see we have nmap listed so lets take a look at the version and what privilege escalation options we could have.
Now we have root access and can find and capture the last flag that is most likely in the root directory.
