Mr-Robot boot2root from,151/

I start by running netdiscover to see what ip the server had taken. In my case the servers ip is

After finding the servers ip i strated a nmap scan.

We can see that we have 2 ports open (80 http, 443 https)

I opened up my browser and hit the servers ip

It gave you a console where you could enter commands i browsed though the commands and found nothing. After having no luck with the console I checked the source to see if i could find anything,

Again no luck. I didnt find anything other than some cool art saying "you are not alone". After finding nothing on the face of the webiste i ran uniscan to see if there were any interesting files. I also used dirb to find other pages but had the same results with uniscan.

uniscan does this nice thing of printing all the data to a html file after it completes the scan wich i will place a link to below.

Uniscan Report :

After looking at the reports i found a robots.txt which contained the first of 3 flags and a dictionary attack.

key 1-of-3

I decided to download both files as if we come across a log in page the dictionary would come in handy

I browsed and had a look at other pages and came across license.txt

I checked license.txt and right at the bottom after a couple jokes there is a base64 encoded string. which turn out to be creds

When I read the uniscan report i noticed it had a tone of Wordpress refrences. I searched for the defalt log in page /wp-login.php

There are two ways to get in you could either use a tool called wpscan and launch a dictionary attack with the file we found earlier or we can just log in with the creds we found in license.txt. I advice you try the dictonary attack as its good prctice try usng differnet tools as well like hydra.

I opened the apperance/editor and saw that i could upload anything I wanted.

I used msfvenom to make a php reverse tcp payload. started nc on port 4444

And bam we have our shell. python -c 'import pty; pty.spawn("/bin/bash")'

I dug around the server and found these in /home/robot

i went online and found what the md5 hash was it was the alphabet so logged in to the robot user.

I was looking around at the server and i found nmap was installed as root. I looked in to it but couldnt find anything so i had a quick peep at another write up and found out if you run nmap --interactive you can execute commands as root.

I looked in the root directory and finshed the CTF

I really enjoyed the CTF I liked how it gave you what you needed to break in to the wordpress account but also gave another faster opertunity to those who dug through all the files and enumerated properly.