Mr Robot (Tryhackme)

CTF

Mr Robot
Tryhackme

We have to find 3 hidden keys located on the
machine

by
Priyada

1. Start the machine

• Open Tryhackme and connect VPN (From access page)
• Start machine . Note the IP of the target machine.

2. nmap scan

nmap -A -p- -v TargetIP
We can see 3 ports are open ( 22, 80 and 443)

3. Copy target IP and paste it in the URL . We will get a web page like this .

Inspecting on this page won’t give any result .

4. Now do a Directory Bruteforcing , to find hidden directories.

gobuster dir --url http://targetip/ -w /usr/share/wordlists/dirb/common.txt

We can see /login, /robots , /license etc.

5. Copy /login and paste it ( target ip/login )

We will get a wordpress login page .

6. Copy /robots (from gobuster Point 4) and paste it ( target ip/robots )

We will get one txt file and another .dic file as shown below .

7. Now Target IP / key-1-of-3.txt (from point 4) will give a key which is the

answer of 1st tryhack me question . Copy the key and paste it in tryhackme .

8. Now Target IP / fscocity.dic . And the file will be downloaded into our

download folder .
Use the commands Cd Downloads and ls . Then cat fscocity.dic Then
Open the file , we will get a list of names .

9. Copy /license from gobuster (Point 4) and paste it ( target ip/license) .

We will get another page . Scroll down and we can see a base64 code .
(ZWxsaW90OkVSMjgtMDY1Mgo= )

10. Decrypt the above code using base64 . We will get a user name and

password (Elliot and ER28-0652 )

11. Goback to the wordpress ( target ip/login )site

( as given in point number 5) and give the user name and password to login

We can see the dashboard of the wordpress site as given below

12. Click Appearance → Editor and from right side , click onto 404 Template (It

is a php file) . We can now take a reverse connection.

13. Search reverse shell php pentestmonkey

(https://pentestmonkey.net/tools/web-shells/php-reverse-shell) .
Download the file and extract.

14. We can see php-reverse-shell.php after extracting it .

15. Open the php file and edit the IP ( Tryhackme Internal IP) and port .

16. Save php-reverse-shell.php .

Now copy the entire contents of the file ( php-reverse-shell.php ) . Go back to
wordpress dashboard ( Point 12)and paste the shell script in 404.php page (404
Template) . Before updating it , let us use netcaat in terminal .

17. Open terminal , and use netcat to listen port .

nc -lnvp 1234 , press enter and then update the file in wordpress .
we can see a message File edited successfully.

(http://10.10.208.10/wp-admin/404.php)

18. Now in terminal we can $ . Type whoami and we will get daemon .

19. Now use pwd , ls -la . And we can see home .

20. cd home and again use ls -la . We can see Robot .

21. cd robot , then ls -la and we will get password.raw-md5 and key-2-of-3.txt.

• Cat key-2-of-3.txt and we will get the second key . Paste it in tryhackme

• Cat password.raw-md5 and we can see a code
c3fcd3d76192e4007dfb496cca67e13b .

22. Using MD5 decryptor , decrypt the code (https://www.dcode.fr/md5-hash).

Paste the code and press decript ( Click am not a robot)
and we will get a code abcdefghijklmnopqrstuvwxyz .

23.

• To get an interactive shell , use python -c 'import pty;
pty.spawn("/bin/bash")' in terminal .

• Now use su robot and paste the password we got from MD5 decryptor ( as in
point 22) . And we will get the Robot shell .

24. Sometimes from a misconfigured nmap , we can access root.

Type nmap and we can see the version of nmap as Nmap 3.81

25. Use the command nmap –interactive to get a nmap shell.

26. To get access to root , use !sh and check with whoami .

27. We can see we accessed root. Now we can navigate to the root directory.

Use cd .. twice and type pwd . We can see / and now use la -la.

28. Using la -la , we can see root .

Use cd root , and la -la will give us the 3rd key .
Cat it to get the key. That is cat key-3-of-3.txt.

Now paste it in tryhackme .