Mr Robot CTF

Wed 13 July 2016

This is a Mr.Robot challenge from You can obtain the virtual machine from: here

First lets find the target in our network:

netdiscover target

Our target machine is, lets run nmap scan on it:

nmap scan target

Nothing interesting just web server, and close ssh port 22. Browse the target and run nikto on the web server.

nikto scan target The site is wordpress. The interesting things are in red.

Spidering the site from Owasp Zap and found robots.txt:

robots.txt on target

We are able to locate the first of three keys :)

first key is found

Exploring after nikto scan, and in license.txt we found some encrypt text, thanks to firebug. The text was hidden on the bottom of the page after long blank space.

found encrypted text

Run the encrypted text through HashID but I can't determine it's type. Then I decide to try it in Owasp Zap, and decrypt it as base64:

zap decrypt txt

This is the username:password. I tried to log in with this credentials and this is the result:

We are successfully log in to the admin panel. Now I think about how to upload reverse shell. We know that WordPress is Php based, so I decide to upload php reverse shell in the footer of the theme:

Catching the reverse shell with ncat and we are daemon on the target machine:

After looking around I locate the second key. But we weren't able to read it because of permissions.

Let's try to crack the freshly found md5 hash. I didn't want to fire up John for this, so i ended up looking online at crackstation for decrypt it. The password is the alphabet.

Now I try to log in as SU but my shell didn't allow me to do that, perhaps i need to spawn /bin/bash:

So i upgrade the shell with this python script, and log in successfully as robot user:

Now we can read the second key:

I can't find the last key for now ... Probably i will need root access to the target machine, but for now didn't find a way to obtain it.