https://tryhackme.com/room/mrrobot

From IMDB, Mr. Robot series: “Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he works for.

  • valuable information exposed in /robots.txt
  • password leaked, able to bruteforce authentication with a special wordlist
  • found in their home folder, a user’s password was md5 hashed and saved in a file
  • an SUID binary was exploited for privilege escalation

◇ port 80 http
◇ port 443 https
◇ they both appear to be the same site

 

wappalyzer shows this site runs on WordPress CMS.

The first flag is exposed in /robots.txt

 

A wordlist is also available for download: fsocity.dic, 858160 lines
The wordlist can be condensed, as duplicates exist

cat fsocity.dic | sort | uniq > fsocity_uniq.txt
#fsocity_uniq.txt, 11451 lines
A dictionary attack against the site’s directories shows a /asc path, opening a wordpress blog site.
 
The login page is linked, /wp-login.php
The MC of Mr. Robot is Elliot, and the login page confirms this username is valid
WPScan tool is used to enumerate the wordpress site, showing plugins and themes.
No users are found, but Elliot is a valid username.
WPScan can also brute force wp-login forms and from the research I’ve done, can brute force quicker than Hydra.  The unique fsocity wordlist contains Elliot’s password.
$wpscan --url http://10.10.104.200/wp-login.php --usernames elliot --passwords fsocity_uniq.txt -t 40

Once password is cracked and Elliot is logged in, the classic approach to achieving a reverse shell is to modify a plugin .php file with malicious reverse shell php code and executing the reverse shell by navigating to it’s location in the browser.

The Hello Dolly plugin is chosen from the dropdown menu in the plugin editor.
After the script is modified, navigate to /wp-content/plugins/hello.php to execute the reverse shell.
 
An example can be found on my c0lddbox report: https://hex-men.tech/tryhackme-colddbox-report/

The reverse shell connection is in the context of “daemon” user. This user does not have access to read the second flag but can read a md5 hash in “robot” user’s home folder.


Crack the hash and switch to “robot” user to read the second flag.

  • the hash can be queried on crackstation.net

The third flag is most likely in the /root folder, so need to escalate privilege.


Searching for files with the SUID bit set shows the nmap binary.


According to GTFOBINS (https://gtfobins.github.io/gtfobins/nmap/#suid), nmap interactive mode can spawn a shell and keep the context of “root” user.


The third flag is in /root

Leave a Reply