{"id":82,"date":"2021-02-27T21:43:00","date_gmt":"2021-02-27T21:43:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=82"},"modified":"2025-12-13T21:44:15","modified_gmt":"2025-12-13T21:44:15","slug":"mr-robot-tryhackme-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=82","title":{"rendered":"Mr. Robot- TryHackMe lab"},"content":{"rendered":"\n

Today I am working on the Mr Robot CTF from tryhackme.com. I am using the video from DarkSec to help with parts.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I start with an nmap scan against the host to see what ports are open<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I can see port 80 and 443 are open, these ports are used for http and https so I open the web browser to see what kind of site we are working with<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

The website is themed from the show Mr. Robot and is really cool. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Checking the page source, you can see a cool easter egg: “You are not alone”<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Checking the robots.txt page, we can find the first key and a dictionary file, I download the dictionary file.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I run gobuster to check for any other interesting pages on the web server, wp-login looks the most interesting.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

wp-login leads to a WordPress login page<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Next I turn on my burp proxy on the FoxyProxy plugin before opening Burp Suite<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I make sure my intercept is on then go attempt to login to the WordPress site with admin, admin<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

This gives me the error below, this error is bed because it can be used to find a valid username<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n

I run Hydra against the login page and come up with a username “Elliot” I tried to login with the password of test but that didn’t work<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I get a new error message, this one is also a very bad practice, I can now use this error to find a valid password
Using Hydra again, I specify the username and use the dictionary file I pulled down to find the password, I find the password and log into the WordPress site.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

WordPress Version 4.3.1
This user has access to the editor, I will now start a netcat listener and see if I can get a PHP reverse shell<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

PHP Reverse shell code: https:\/\/github.com\/pentestmonkey\/php-reverse-shell\/blob\/master\/php-reverse-shell.php<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n

I edit the code and save it, then navigate to the page, when the page loads, I get the reverse shell<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I find a file on the server that has the MD5 has of the password for a user account<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I put the hash in John the Ripper to crack it, I get the password above<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I have to upgrade to an interactive shell to login as the user<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I get in and access the account of the robot user, I am still not root though
Looking for SUID binaries, I find one for nmap
I open an interactive shell and use the command from gtfobins to get root<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

I now have root access!<\/p>\n","protected":false},"excerpt":{"rendered":"

Today I am working on the Mr Robot CTF from tryhackme.com. I am using the video from DarkSec to help with parts. I start with an nmap scan against the host to see what ports are open I can see port 80 and 443 are open, these ports are used […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-82","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/82","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=82"}],"version-history":[{"count":1,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/82\/revisions"}],"predecessor-version":[{"id":83,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/82\/revisions\/83"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=82"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=82"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}