Hello, thank you for reading. This will be my 5th write up detailing my experience with a Mr. Robot themed box!
Lets start with a basic “nmap” scan to see what we find.
We have two web services being hosted on ports 80, 443, and a closed “ssh” port. I’m going to start brute forcing directories using “GoBuster” while I navigate the website.
After this introduction from Mr. Robot we see a list of commands we’re able to run. I explored them all one by one, but I found a foothold after checking my progress on “Gobuster” .
The first one that caught my eye was the “wp-login.php” directory. After visiting it we get a log in page!
This is great because from here all I need to do is find usernames and passwords. During my search through the other directories with status codes “200"; I found this in “/robots.txt”.
We can see we have a user, a file with a “.dic” extension, and our first key! I downloaded the “fsocity.dic” file by visiting the page.
After this I went to “/key-1-of-3.txt” and found our first flag!
The file I downloaded is large in size so I ran “sort -u fsocity.dic” to get rid of duplicate words.
I have a log in page, a username, and a sorted dictionary list. I decide to run “hydra” and begin brute forcing the login page, but to my luck there was no avail.
After retracing my steps I find a second foothold. Inside of “/license.txt” there is a message on the page visible through inspector tools. I move the text into body so I can copy.
I run it through a base64 decoder and found a username and password!
After plugging these new credentials into the login page we have Elliot's account.
While looking thoroughly through this page I see an option for uploading media.
I start a listener for a reverse shell.
Kali has a native script for uploading a reverse shell. I open and edit it to specify my attacking computer’s IP and the port I’m listening on.
Unfortunately this is sanitized so that no files with these “php” extensions can get uploaded.
After some time and research on Wordpress I see an option to edit themes under the appearance tab. I click on the 404 Template and copy and paste the edited reverse shell I attempted to upload earlier.
I navigate to /404.php to activate the updated theme.
Success we have a reverse shell as daemon!
I found key-2-of-3 shortly after and we have another username and encrypted md5 password.
I went on crackstation to crack the password and its the alphabet!
I couldn’t switch user by using “su -u” because I had to upgrade my shell into a terminal environment with “python -c 'import pty;pty.spawn("/bin/bash")'”. Then I typed “su - robot” and when prompted for the password I typed the alphabet. When I verified my identity as “robot” I was able to read the flag inside the key-2-of-3.txt file.
From here I start to escalate my privileges into root. I use "find / -user root -perm -4000 -exec ls -ldb {} \"to see what I can abuse with the SUID bit set.
After some research I found out some versions of “nmap” with SUID bit set can be put into interactive mode; and then broken out of into root user. I used “nmap — interactive” and then “!sh”. I verified my identity and went to the root directory. Typed “ls” and key-3-of-3.txt has been found! Thank you for reading!
