CTF-Writeups/TryHackMe/MrRobot.md

TryHackMe-MrRobotCTF

NMAP

Nmap scan report for 10.10.200.232                                        
Host is up (0.23s latency).                                               
Not shown: 997 filtered ports                                             
PORT    STATE  SERVICE  VERSION                                           
22/tcp  closed ssh                                                        
80/tcp  open   http     Apache httpd                                      
|_http-server-header: Apache                                              
|_http-title: Site doesn't have a title (text/html).                                                                                                
443/tcp open   ssl/http Apache httpd                                                                                                                
|_http-server-header: Apache                                                                                                                        
|_http-title: 400 Bad Request                                                                                                                       
| ssl-cert: Subject: commonName=www.example.com                                                                                                     
| Not valid before: 2015-09-16T10:45:03                                                                                                             
|_Not valid after:  2025-09-13T10:45:03                                   

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 60.16 seconds

PORT 80

Looking at robots.txt which is just a basic enumeration looking for these files

We have two files here fscoiety.dic which looks like a wordlist and key-1-of-3.txt which has the first flag

Gobuster

/images (Status: 301)
/index.php (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/wp-login.php (Status: 200)
/css (Status: 301)
/rss2 (Status: 301)
/license (Status: 200)
/wp-includes (Status: 301)

This was the list of directories I was able to find but only wp-login was of our interest rest of them were giving forbidden access messages

So we need to know the usernames , there isn't any username on the blog so we might have to do trial and error to guess it but we have fsociety.dic that might be useful for usernames so let's intercept the login request to get paramters and then start bruteforcing it with hydra But it's going to take a lot of time bruteforcing against a list of usernames so as this box has theme of mr robot and the main character of that series is elliot

So this username is correct all we need to do is bruteforce against the words in fsociety.dic but picking the first word which is true it has 150 matches so it has a number of words repeated in it so we need to remove repeated words (I checked this through sublime's regex mode)

You see the difference in the repeated words

Perfect now let's continue with intercepting the request and bruteforcing it against hydra

But hydra was taking longer than usual so I moved to wspcan to bruteforce elliot's password

Now go to Appearance -> Editor Then select the Twenty Fifteen theme and paste the php reverse-shell from pentest monkey (GitHub one)

Click on the update button

Stablize the shell

In the home directory of robot we can see a md5 hash that we need to crack inorder to switch user

We can see a cronjob running on the system

Looking for SUID we find nmap having SUID bit

Going to GTFOBINS