Mr. is a vulnerable machine, which has different ports opened. The goal of this machine is to break the security of target machine and find the 3 keys stored in it. The walkthrough is explained below in detail.

Once you fire up Mr. Robot VM in your virtual box or vmware/player, you will get the below .

Privilege Escalation in Mr. Robot CTF  - start 300x170 - Privilege Escalation in Mr. Robot CTF

You can download Mr. Robot virtual machine from here.

Okay let’s try to break into the machine, hope you enjoy the journey with me 😀

1. Discover all the live hosts in a network with netdiscover.

- 1 300x85 - Privilege Escalation in Mr. Robot CTF

2. Discover the running ports and applications running on it with nmap.

- 2 300x134 - Privilege Escalation in Mr. Robot CTF

3. Discover all the directories on web server using dirb.

- 3 295x300 - Privilege Escalation in Mr. Robot CTF

4. Check robots.txt file.

- 4 300x144 - Privilege Escalation in Mr. Robot CTF

. We got key 1 (out of 3 keys) that was placed in robots.txt file.

- 5 300x113 - Privilege Escalation in Mr. Robot CTF

6. We found another file fsocity.dic that was also available in robots.txt. After opening it, we found that it is a wordlist with duplicated data. Therefore, we tried to compile a unique data and saved in shortfsocity.dsc.

- 6 300x52 - Privilege Escalation in Mr. Robot CTF

7. For http-post-form we got a http post request form.

- 7 1 300x162 - Privilege Escalation in Mr. Robot CTF

8. After a little bit research with nikto/source code analysis, we found that the website is running WordPress, so we jumped onto /wp-admin or wp-login and tried fuzzing. The result was not fair enough, so we used fsocity.dic as a wordlist in hydra to bruteforce username and password.

- 8 300x148 - Privilege Escalation in Mr. Robot CTF

9. We successfully got username and through the same wordlist file, we started finding password.

- 9 300x60 - Privilege Escalation in Mr. Robot CTF

10. The username and password we got are Elliot and ER29-0652. Login through wp-login and see what we got interesting in WordPress dashboard. Luckily, we opened into the dashboard, now try to upload a reverse shell for remote connection. We uploaded Pentestmonkey’s php reverse shell in zip.

- 10 300x196 - Privilege Escalation in Mr. Robot CTF

11. Unfortunately, I did not get remote connection (Shell) through plugins. I copied PHP reverse shell code and pasted in 404 page and the code successfully worked.
Note: IP should be of your kali machine.

- 11 300x287 - Privilege Escalation in Mr. Robot CTF

12. Open netcat connection first on port 1234 that was specified in the php reverse shell code.

- 12 300x92 - Privilege Escalation in Mr. Robot CTF

Open any random page on target IP that does not exist.

- 12a 300x30 - Privilege Escalation in Mr. Robot CTF

. Let us see which shell we got with netcat.

- 13 300x62 - Privilege Escalation in Mr. Robot CTF

14. We got a limited shell. Now we try for a bash shell. For that, we check if python is installed on target system. We a spawn a bash shell and got to daemon account.

- 14 300x121 - Privilege Escalation in Mr. Robot CTF

15. We got key 2 file but we didn’t have permissions to open it. We got access to another file that has a secret hash.

- 15 300x170 - Privilege Escalation in Mr. Robot CTF

16. Let us try to break the hash first.

- 16 300x41 - Privilege Escalation in Mr. Robot CTF

17. The hash was cracked and we got password of robot account that has access to key 2 file.

- 17 300x184 - Privilege Escalation in Mr. Robot CTF

18. After getting 2 keys we moved into root folder but we were not able to open key 3 file due to limited privileges assigned for robot account.
We check if the applications running on target system can be used to get access to root account.

- 18 300x158 - Privilege Escalation in Mr. Robot CTF

19. Look for any out dated service running on target system that we mounted in tmp directory.

- 19 237x300 - Privilege Escalation in Mr. Robot CTF

20. Luckily, we found nmap (version 5.3.4) on target system, which provides interactive shell to get root access.

- 20 300x293 - Privilege Escalation in Mr. Robot CTF

21. Through nmap (interactive mode), we achieved key 3 (out of 3 keys) in root folder that only a root account can access.

- 21 300x93 - Privilege Escalation in Mr. Robot CTF

Congratulations !!!

Here is the root flag. Hope to see you soon … !!!


another CTF here. More CTFs are coming soon.

If you are interested in writing guest blogs, please visit this page.



Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here