Important points I learned from Mr Robot CTF
by Najam Ul Saqib
I did the Mr. Robot CTF today from www.tryhackme.com, I thought it would be better to share the lessons I learned from Mr. Robot's CTF rather than writing a walkthrough (as there are tons of walkthroughs available online on Mr. Robot)tags: ctf
GoBuster is better than DirBuster:
I ran gobuster on the machine for quite some time but it didn't capture some pages which also included robots.txt, robots.txt is an important page and it carried some useful information, GoBuster detected robots.txt so in this case GoBuster performed better
If its "Wordpress", go nowhere but "WPScan":
If the target is wordpress-based then WPScan is your go-to tool for enumeration and bruteforcing, I tried different tools for bruteforcing credentials on the machine like Burp Intruder, Hydra, MetaSploit etc but they all took a lot of time whereas bruteforcing performed by WPScan (using XML-RPC which I'll explain next) was fast and very efficient.
XML-RPC in Wordpress:
WPScan detected XML-RPC on the Mr. Robot's machine, XML-RPC is basically an API for communication on Wordpress, its vulnerable to bruteforcing meaning there is no rate limiting on XML-RPC, there is a specific syntax for it, WPScan used exploited this vulnerability to bruteforce the machine rather than using the wp-login.php page
Always sort out and uniq the wordlist:
Well, this is a hard learnt lesson, the wordlist provided by machine contained over 8 lac records and obviously bruteforcing so many words took forever. Sorting the wordlist and using uniq on it reduced the wordlist from over 8 lac words to just 11k words, that's a massive difference.
Use the command: sort file.txt | uniq > output.txt to perform this operation
Use tun0's IP as LHOST on THM:
I got stuck here for long time, this is specific for TryHackMe users, I was setting my wlan0/eth0's IP as LHOST while trying to get shell whereas tun0's IP is the way to go. I have explained this in more detail in other blog post, to read the explanation click here