Explor1ng
Good day, today I walkthrough CTF dedicated to my favorite TV series "Mr Robot". I will use the netdiscover utility to determine the desired ip address.
![](../img/post3/image1.png)
netdiscover
Scanning open ports, you can see the closed ssh port and two web ports https 443 and http 80.
![](../img/post3/image2.png)
On port 80, I see something like a UNIX terminal, but it's just script.
![](../img/post3/image3.png)
In the robots.txt file I find two interesting files, the first one is a wordlist and second is the first flag.
![](../img/post3/image4.png)
![](../img/post3/image5.png)
Shell
Using dirbuster utility i find wordpress blog and login page.
![](../img/post3/image6.png)
Since the main character is called elliot we can assume that it will be username. Using the earlier received wordlist and WPScan I will find out credentials for WordPress.
![](../img/post3/image7.png)
wpscan --usernames Elliot --passwords /root/Mr_Robot/fsocity.dic --url http://192.168.2.102/wp-login.php
Elliot:ER28–0652
Now i load php reverse shell and log in
![](../img/post3/image8.png)
Boot2User
In the robot user’s home folder, I find the file with the password encrypted by the MD5 algorithm, to crack it I go to the hashkiller website and get the user password.
![](../img/post3/image9.png)
robot:abcdefghijklmnopqrstuvwxyz
Since the ssh port the port is closed I use su to get user rights. And I get 2 flag.
![](../img/post3/image10.png)
python -c 'import pty; pty.spawn("/bin/sh")'
su robot
R00t access
Using nmap, I get root access and get the last third flag.
![](../img/post3/image11.png)
/usr/local/bin/nmap --interactive
!sh