TryHackMe- Mr. Robot Walkthrough

This Room Linux Basic: TryHackMe | Mr Robot CTF

Reconnaissance

I started by scanning the ports with Rustscan.

rustscan -a 10.10.164.30 -- -A        

We observe that this machine has only 2 open ports:

• Port 80, 443 — A web page running a search website.

Upon checking some of the commands, we were redirected to numerous videos and information about the Mr. Robot show, but nothing useful.

Now, try to access robot.txt. Here, you can see there are two directories. Let’s access them one by one.

Regarding the /fsocity.disc directory, it seems to be a wordlist, but its exact purpose remains unclear to me.

Let’s open the /key-1-of-3.txt directory, and here we find key 1.

What is key 1?

Answer: 073403c8a58a1f80d943455fb30724b9

Enumerating the website, we discover several accessible directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.55.239        

We also obtained a pair of credentials that might be useful somewhere. Additionally, we noticed several WordPress directories, so let's proceed to the login page:

/wp-login.php reveals us login panel of wordpress.

For that enter any username and password and intercept the request using burpsuite.

Using this part we will brute force the username.

hydra -L fsocity.dic -p test 10.10.70.177 http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username”        

Username:Elliot

When we enter the correct username but an incorrect password, the response is different.

We now have username. Lets bruteforce the password now.

Wpscan:

wpscan --url  https://10.10.55.239/wp-login.php -U Elliot -P /home/kali/Downloads/fsocity.dic1        

Username Password=Elliot:ER28-0652

login with this credentials.

Here, I create a reverse shell, referencing https://github.com/pentestmonkey/php-reverse-shell, and change the IP address and port.

And visited Media then click:

start listening:

nc -lvnp 8888         

upgrade you shell using

python -c ‘import pty;pty.spawn(“/bin/bash”)’        

Looking at the home directory of the robot user, we can see two files: key-2-of-3.txt and password.raw-md5.

robot:c3fcd3d76192e4007dfb496cca67e13b

decrypting the password reveals abcdefghijklmnopqrstuvwxyz

lets switch user to robot

What is key 2?

Answer: 822c73956184f694993bede3eb39f959

Privilege Escalation

I attempt to perform privilege escalation with the following command:

find . -perm 4000 2>/dev/null
or 
find / -perm -u=s -type f 2>/dev/null        

I try searching on https://gtfobins.github.io/ and find its vulnerability.

I follow the instructions on the website and gain root access :

What is key 3?

Answer: 04787ddef27c3dee1ee161b21670b4e4

Thanks for Reading: