Mr. Robot Walkthrough

Hello everybody! this is my first CTF walkthrough and i am very excited about it. I hope u all like it. I will be solving Mr robot CTF.

You all can visit this link and try the lab for yourself its free https://tryhackme.com/room/mrrobot .

1. we will enumerate the target vm for services using nmap tool.

we see that port 80 is open for http service.

2. we use gobuster on https://10.10.65.169:80 with . gobuster dir -u http://10.10.209.121:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

we have found a directory named robots (coincidence! i think not). we traverse to robots directory and what do we find.

it tells us about 2 files one is a key and other a dictionary. first we get the key.

we will then download the fsocity.dic .


3. we will run nikto tool on the target vm to find hidden files.

from above result we see that there is a login page, but what about username and password we dont know it.

4. In our nikto scan we saw a directory license . we visit this directory and inspect the element and we get.


it is a base64 code. on converting it gives.


There we have it. username and password. login using this username and password we find in users the other username.

Now there are a lot of ways to access the shell on target Vm. I will be showing you one of them. After a little bit snooping we found that the template editor can be used to run our reverse shell.

copy the reverse shell code and replace the 404 template code with it and click update file. Now lets listen to the incoming connections.

Voila! we have accessed the shell. Now go to /usr/robots there we find 2 files one our 2nd key and the other a password file for user- robot.

we crack the md5 hash and find the password.

Using this we gain super control as robot user and open the 2nd key file.


5. We still don't have root level access. Its time to to escalate our privileges. we start of by searching for SUID files.

we see nmap file. lets execute that.

we can see that it has an option to run shell and as it is a SUID file we can gain root access. Now let's go to root directory and get our 3rd flag.

Hurray! we have found all three. hope you liked it.

Comments

Post a Comment

Popular posts from this blog

Agent Sudo Challenge

Image
Hi everybody! I am back with yet another CTF Challenge. You all can try this challenge at https://tryhackme.com/room/agentsudoctf . Let's Begin. 1. we have to enumerate the given Vm link to find how many service ports are open. Nmap results will give you the no of open ports. 2. Now we have to redirect ourself to a secret page. if you visit the site it says that you have to use your own agent and the hint tells us to use agent C. we can change our web browser agent through Dev tools or using external plugins from web store. 3. Now load the main page again and you will get a message. 4. Now we know the username and we also now he has a weak password. In nmap scan we found that a ftp port is open. we can use hydra on this port to find Chris's password. Boom! we found his password. 5. login using ftp and list the directory. we find 3 files . 6. Download these files. 7. There is a message in To_agentJ.txt . It says that the login password is in the fake pic's. This clearly in
Read more

MetaCTF 2020 writeup

Image
Hi everybody! I recently took part in MetaCTF CyberGames 2020 which was held on 24 Oct. Here is the link if you want to try the challenges -  https://compete.metactf.com/30/ This is my writeup. Hope you all like it! WEB Exploitation 1. High Security Fan Page Description- Someone has changed the password to the admin panel. We have to find the password. On inspecting the source code we found a suspicious JavaScript being loaded into the page . On visiting the JavaScript we found the username and password to the admin panel. The Flag was the password to the panel. 2.  Everyone Loves a Good Cookie Description-  Cookies are used by websites to keep track of user sessions and help with authentication. Can you spot the issue with this site and convince it that you're authenticated? Upon visiting the page we found an input field and a submit button. We tried common password and hit submit. The page responds with a Set-Cookie parameter as shown below: We tried sending request by changing t
Read more