TryHackMe Mr. Robot CTF Writeup: Step-by-Step Guide to Capture All Flags.

0xodinx

Ultimate TryHackMe Mr. Robot CTF Walkthrough: Step-by-Step Guide to Capture All Flags.

 

TryHackMe Mr. Robot CTF Walkthrough -dp1h3r0x

 

PROBLEMS :-


  1. Find the key-1.txt

  2. Find the key-2.txt

  3. Find the key-3.txt


SOLUTIONS :-


STEP 1 :-   First Scan The IP by Nmap.


IP Scan by Nmap -dp1h3r0x


 

STEP 2 :-  Looking at the nmap scan, ssh 22 is closed, but 80 and

  443 is open. If the site is open on port 80 it means the website is 

 running. Let's check this website.



Check the ip address port 80 website




STEP 3 :-  Firstly " view the source code "  of this page .




View source of the website page-dpiherox




But , nothing to find special .


STEP 4 :-  Let's try dict.  fuzzing.


dractory fuzzing by wpscan - dp1h3r0x team





 After fuzzing , I find the two dict. This is very interesting [/wp-

 login] [/license] 

 Let's go the [/robots.txt]




check robts.txt





Download the key-1-0f3.txt , this the flag1.



                              We Slove the first problem.



STEP 5 :-  Let's go to the [/license] url webpage. And view the 

  source code.




License page of this website and find the base64 code





See, I find the base64 code. Let's decode the code.




Base64 encoding by echo




Maybe, this the credential of [wp]. 


STEP 6 :- Let's go to the [/wp-login] url page.




Wp (wordpress) login page.




Use the credential, access the admin panel of [wp].



WordPress (WP) Admin Dashbord/Panel




  Now , think if you access the panel, what will you do? I will try 

  input a php-reverseshell  to access the server. Let's gooo... find the 

  any [.php] to edit the code , and input your malicious php code.




Wp Website dashboard appearance- inject code




  I find the [404.php] seems to be a editable. So, I inject the 

  malicious php code here.

 

STEP 7 :- Set the listener using [netcat] , and refresh or access 

  the page [404.php] , for the reverse-connection.




nc start on kali terminal -dpiherox



Go to the page....




Error page after refresh website when natcat start





 Don't worry for the error , check your nc session.




Permission denied for not in user permssion

                      

  Look! I access the shell. Go the user of robot . See the key2 is here. 

  let's cat the key2 , but permission denied. so, try another way.


STEP 8 :- Check the id of shell. In step7 , I see the id is 

  [daemon]. so , change the id 'robot' that's why need to password of 

  robot. In step7-pic, we can see the [password.raw-md5]. Cat the 

  raw-md5 file and crack the password , I think this the password of 

  'robot'.






robot file hash





hash value find by crack station




Crack the password or md5 using crackstation .



STEP 9 :- Using the password switch the 'robot' user , get the 

  flag of 2.





Second flag of this challenge




       WOW....

         
      
      We Find The Second Flag and Slove The Second Problem



STEP 10 :- In this part , I will try to root access of the machine. 

  And find the final flag. So, let's goooo...  


  Firstly, check where the key3.txt flag, maybe in the /root dict. 

  And also  find the [SUID]  , what is suid? go to suid , apply this 

  cmd  to the terminal [find / -perm -u=s -type f  2>/dev/null]



find the [SUID] on cmd terminal





  See , i found the nmap . I am using nmap  interactive  shell to 

  gain root access.






nmap interactive shell to gain root access.






Using those cmd , to gain root access.




We gain the root access . -dp1h3r0x



                      Holax,  We've gained the root access. 


Lets cat the final flag of this challenge .




Third and last flag of this ctf tryhackme





THANK YOU EVERYONE.











0 Comments