TryHackMe – Mr Robot
1. First step as always is a nmap scan. So we have http, https and ssh port open.
2. Then I took a look at the robots file using curl. This can also be done in a browser. Here I found our first key and also a dictionary file. I used curl to display the key and downloaded the dictionary file using wget. Key is 073403c8a58a1f80d943455fb30724b9
3. I also started dirbuster at the beginning the moment I knew port 80 was open and found a login page within.
4. Now an interesting thing about a wordpress login page is that it tells you separately whether your username was correct or not.
5. I used burpsuite to brute force the login form using the given dictionary file. I captured the request and then sent it to intruder. Here I used a cluster bomb attack on the username and password positions. However I recommend using hydra unless you have the pro version of burpsuite.
6. A different length value suggest an anomaly. Thus I tried the corresponding values to it with username as Elliot and password as true. The error message states that the password is incorrect however this is a direct hint to the username being correct. The next step is to brute force this login form again by using the username as Elliot.
7. This time I tried to use hydra to explain bruteforce using another software. And I actually came up with tons of passwords for it. But all of them were wrong for some reason. So I tried it again by using wpscan the next time.
8. A look at fsocity.dic tells us that it contains lots of duplicate words. So I filtered it through sort and saved unique words in another file. The command that I used for this is: sort –unique –ignore-case fsocity.dic > fsocity2.dic
9. Then I used this file as a wordlist to brute force the login form in order to obtain the password. For this I used wpscan and the command is: wpscan –url http://10.10.232.12 –usernames Elliot –passwords fsocity2.dic –password-attack wp-login.
So after half an hour I finally stumbled upon the password of Elliot:ER28-0652
10. I also tried using these credentials to ssh into the server but wasn’t able to.
11. My next approach was using a reverse shell to get a shell into the server.
12. For this I downloaded a php-reverse-shell script from this link
and changed the IP address to my machine’s. NOTE: kali already has this file. Try finding it. HINT: its under webshells
13. Then I started a listener on my server using: nc -lvnp 1234
14. Then I logged into the wordpress server and followed this path Appearance –> Editor –> 404.php. Here I pasted the php-reverse-shell code and went to this page using curl. You can also normally browser to it using any browser.
15. And voila I got a reverse shell. I changed my shell using: python -c ‘import pty; pty.spawn(“/bin/bash”)’ Then I went to the home folder and was able to locate the 2nd key but wasn’t allowed to access it and got a permission denied. But then I looked at the other file.
16. The interesting thing to notice here is how two strings are separated by a colon. This is sometimes used to refer a username and password combination. We also have a hint that this is a password encrypted using md5. So my next step was to decrypt it using crackstation.net. The result was abcdefghijklmnopqrstuvwxyz.
17. Then I used su to switch to another account (robot in this case)
18. This last step took me ages to find. I used find to look for all of the files that had the SUID bit on. The command was: find / -perm -u=s 2>/dev/null
19. Then I ran the same command on my system and compared there output. The interesting thing was that nmap was listed on the target server.
20. This felt like I was onto something. Looking into this I found that the version of nmap was very old and it had a feature called interactive which would allow me to have a nmap shell into the system.
21. Then I tried the id command and saw that my effective user ID was of root. Privilege escalation has been successfully completed. The last step was to browser to the root folder and cat the 3rd key.