Wednesday , October 24 2018
Privilege Escalation in Mr. Robot CTF
Home / CTF / Privilege Escalation in Mr. Robot CTF

Privilege Escalation in Mr. Robot CTF

Mr. Robot is a vulnerable machine, which has different ports opened. The goal of this machine is to break the security of target machine and find the 3 keys stored in it. The walkthrough is explained below in detail.

Once you fire up Mr. Robot VM in your virtual box or vmware/player, you will get the below screen.

Privilege Escalation in Mr. Robot CTF

You can download Mr. Robot virtual machine from here.

Okay let’s try to break into the machine, hope you enjoy the journey with me 😀

1. Discover all the live hosts in a network with netdiscover.

2. Discover the running ports and applications running on it with nmap.

3. Discover all the directories on web server using dirb.

4. Check robots.txt file.

5. We got key 1 (out of 3 keys) that was placed in robots.txt file.

6. We found another file fsocity.dic that was also available in robots.txt. After opening it, we found that it is a wordlist with duplicated data. Therefore, we tried to compile a unique data and saved in shortfsocity.dsc.

Note: Target IP is changed below; it’s 192.168.1.46 and the local IP of my attacker [Kali] machine is 192.168.1.54

7. For http-post-form we got a http post request form.

8. After a little bit research with nikto/source code analysis, we found that the website is running WordPress, so we jumped onto /wp-admin or wp-login and tried fuzzing. The result was not fair enough, so we used fsocity.dic as a wordlist in hydra to bruteforce username and password.

9. We successfully got username and through the same wordlist file, we started finding password.

10. The username and password we got are Elliot and ER29-0652. Login through wp-login and see what we got interesting in WordPress dashboard. Luckily, we opened into the dashboard, now try to upload a reverse shell for remote connection. We uploaded Pentestmonkey’s php reverse shell in zip.

11. Unfortunately, I did not get remote connection (Shell) through plugins. I copied PHP reverse shell code and pasted in 404 page and the code successfully worked.
Note: IP should be of your kali machine.

12. Open netcat connection first on port 1234 that was specified in the php reverse shell code.

Open any random page on target IP that does not exist.

13. Let us see which shell we got with netcat.

14. We got a limited shell. Now we try for a bash shell. For that, we check if python is installed on target system. We a spawn a bash shell and got access to daemon account.

15. We got key 2 file but we didn’t have permissions to open it. We got access to another file that has a secret hash.

16. Let us try to break the hash first.

17. The hash was cracked and we got password of robot account that has access to key 2 file.

18. After getting 2 keys we moved into root folder but we were not able to open key 3 file due to limited privileges assigned for robot account.
We check if the applications running on target system can be used to get access to root account.

19. Look for any out dated service running on target system that we mounted in tmp directory.

20. Luckily, we found nmap (version 5.3.4) on target system, which provides interactive shell to get root access.

21. Through nmap (interactive mode), we achieved key 3 (out of 3 keys) in root folder that only a root account can access.

Congratulations !!!

Here is the root flag. Hope to see you soon … !!!


Read another CTF here. More CTFs are coming soon.

If you are interested in writing guest blogs, please visit this page.

About Kamran Mohsin

Kamran Mohsin
Kamran Mohsin is a Certified Ethical Hacker. Currently working as a Penetration Tester within a private company in Pakistan. He is also doing Masters in information Security. He worked in web development (front-back-end) from recent back years. With the passage of time he took interest in Hacking and started to write blogs on IS from late 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *