Today we will root Mr Robot 1 Machine from Vulnhub.
As usual, First find the IP of the machine.
nmap -sn 192.168.18.0/24
Now Lets do a scan on the machine.
nmap -sV -O -A -T5 192.168.18.96
There is a web server running on port 80. Lets have a look.
Cool, Lets do a directory scan with Gobuster.
root@kali:~# gobuster dir -u 192.168.18.96 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
We have wp-content, wp-admin and wp-login in the server. So we can guess that a WordPress installation is there.
Before that, lets have a look at robots.txt
.
This robots file blocks fsocity.dic
and key-1-of-3.txt
.
fsocity.dic
is a wordlist. Lets save it so that we can use that for fuzzing later.
This is key-1-of-3
. That means we need to find 2 more keys.
Now we need to find the username and password. Go to the login page and try usual combinations.
Now lets try to find out usernames from our .dic file using Burpsuite.
Capture the request and send it to intruder.
Click clear and select the username field as position to insert the payload.
Now run this command to remove the repeating lines in the file fsocity.dic
sort fsocity.dic | uniq > test.txt
The first file is 6MB and our new file is just 94KB. Use this file as payload list in Burp.
Now load the file and start attack. The attack will be faster in paid versions of Burpsuite.
The usual response length is 4145 if the username is wrong. But then the username is elliot
the response length is 4196. Lets try that in browser.
The username elliot is right. Now we need to find the password using the same method.
Get the login request, Send to intruder, and use the same file for fuzzing.
We got the password too. ER28-0652
.
and logged in.
Now we need a reverse shell. Lets do that by editing a page template.
Visit the following page and select 404 Template
.
http://192.168.18.96/wp-admin/theme-editor.php
This page is shown in case of a 404 error in this WordPress installation. If we add our backdoor script in this template and try to load a non-existing page, we can get a reverse shell. Paste the contents of following file there.
http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
and update the IP and port with your attacker IP and listening port number.
Lets get a shell from this page first listen from kali with nc and connect from the server.
nc -nlvp 4444
Visit any non existent page in the site
http://192.168.18.96/melbin.in
We got a shell.
When we look at the home folder of user robot. We can find a file named password-raw-md5.
We also have a the key 2 of 3 but we dont have the read permission.
Lets open the password.raw-md5
file.
Lets copy the md5 hash and search online.
https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b
We have the password of robot
. Lets change user to robot
now. But we need to run that from a TTY shell. Use this command.
python -c 'import pty; pty.spawn("/bin/sh")'
We have nmap in the machine, we can verify it by
which nmap
Now have a look at https://gtfobins.github.io/gtfobins/nmap/#sudo to learn how to do privilege escalation with nmap.
lets try this.
We got root access now. Lets read the second flag.
What about third flag?
It is here.
Lets read that too.
So, we have completed Mr. Robot 1.
Cheers!