CyberTutorials.org - TryHackMe - Mr. Robot

Start by checking for the robots.txt file. Notice, a path to one of the flags is included and a dict file is listed.

Copy to Clipboard

Lets use “wget” to grab both of these files listed in the robots.txt.

Copy to Clipboard

Output the contents of “key-1-of-3.txt” to get the first FLAG.

Use “less” to view the contents of fsocity.dic and notice that this is a wordlist that can be used in further dictionary attacks.

Attempt to discover a valid username. Notice that there is an error for “Invalid username” when you enter a username which does not exist. Test against this by providing Hydra with the “fsocity.dic” wordlist for the username parameter.

Copy to Clipboard

The username “Elliot” is discovered to be a valid username using Hydra.

Lets use wpscan to perform a dictionary attack for the user “elliot”. Based on trial and error (time) I decided to reverse the “fsocity.dic” dictionary.

Copy to Clipboard
Copy to Clipboard

The password was discovered in 3 seconds. After logging into the WordPress Blog, note that there is another user account (subscriber). Use “wpscan” to dictionary attack this account as well.

Copy to Clipboard

There was nothing of any further value found by cracking the second WordPress account.

The “Elliot” account is an administrative account for this WordPress blog. We can edit blog files with this account allowing us to put a PHP reverse shell or PHP backdoor on the blog. We will use this reverse shell:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Start by populating the “Archives” page on the blog. Select and publish the “Hello World” post from the “Posts” tab on the sidebar. Once this has been activated, browse to the “Theme Editor” located under the Appearance tab of the Dashboard sidebar. Choose to edit the “Archives” file and copy-paste the reverse shell into the top of the document.

Note that you will need to change two values at the start of the shell. Set the “ip” value to that of your attack machine. Set the “port” value to the port you’d like to the PHP backdoor to connect to. You will be using netcat to listen for the connection from your attack machine on that specified port.

Copy to Clipboard
Copy to Clipboard

Browse to the “archives” page and select a month to load the backdoor.

Copy to Clipboard

Let’s start by getting a “bash” prompt.

Copy to Clipboard

Let’s browse the file system for another flag.

Copy to Clipboard

With our limited privileges we will need to elevate privileges to continue. Notice that there is a “password.raw-md5” file contained in the /home/robot directory which can be displayed.

Crack this using hashcat.

Copy to Clipboard

The password was not contained within the fsocity.dic wordlist file. Use “rockyou.txt” for this.

Copy to Clipboard

The password should be quickly found.

Use this password to switch user (su) from the PHP backdoor daemon account.

Copy to Clipboard

Display the contents of the FLAG file found in the “robot” user home directory.

We are going to look for suid files to escalate privileges to access “/root”.

Copy to Clipboard

nmap in interactive mode can be used.

Copy to Clipboard
Jesse Shelley
Latest posts by Jesse Shelley (see all)