Important points I learned from Mr Robot CTF
by Najam Ul Saqib
I did the Mr. Robot CTF today from www.tryhackme.com, I thought it would be
better to share the lessons I learned from Mr. Robot's CTF rather than writing
a walkthrough (as there are tons of walkthroughs available online on Mr.
Robot)
tags: ctf
GoBuster is better than DirBuster:
I ran gobuster on the machine for quite some time but it didn't capture some
pages which also included robots.txt, robots.txt is an important page and it
carried some useful information, GoBuster detected robots.txt so in this
case GoBuster performed better
If its "Wordpress", go nowhere but "WPScan":
If the target is wordpress-based then WPScan is your go-to tool for
enumeration and bruteforcing, I tried different tools for bruteforcing
credentials on the machine like Burp Intruder, Hydra, MetaSploit etc but
they all took a lot of time whereas bruteforcing performed by WPScan (using
XML-RPC which I'll explain next) was fast and very efficient.
XML-RPC in Wordpress:
WPScan detected XML-RPC on the Mr. Robot's machine, XML-RPC is basically an
API for communication on Wordpress, its vulnerable to bruteforcing meaning
there is no rate limiting on XML-RPC, there is a specific syntax for it,
WPScan used exploited this vulnerability to bruteforce the machine rather
than using the wp-login.php page
Always sort out and uniq the wordlist:
Well, this is a hard learnt lesson, the wordlist provided by machine
contained over 8 lac records and obviously bruteforcing so many words took
forever. Sorting the wordlist and using uniq on it reduced the wordlist from
over 8 lac words to just 11k words, that's a massive difference.
Use the command: sort file.txt | uniq > output.txt to perform
this operation
Use tun0's IP as LHOST on THM:
I got stuck here for long time, this is specific for TryHackMe users, I was
setting my wlan0/eth0's IP as LHOST while trying to get shell whereas tun0's
IP is the way to go. I have explained this in more detail in other blog
post, to read the explanation click here