Room Link: https://tryhackme.com/room/mrrobot
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.
We won’t be using Metasploit for this challenge
All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.
There are 3 key to collect to complete this room
We kick off this room with enumerating the IP address provided to us with Nmap.
We have two open ports which belongs to web service. We can further enumerate with version and script scan, but unfortunately no fruitful results would we get.
If we visit the HTTP service which is running on the target machine, then we’d get below result. We can interact with by type the options, but I didn't get any information out of any option.
Let’s run a GoBuster to find any directories on that HTTP.
Gobuster is a tool used to brute-force URIs, DNS, Vhosts and S3 buckets
I am running it with common wordlist and 50 threads at a time.
We get a lot of directory names, some are redirecting and some are forbidden to access.
By looking at the result, we can say that the target HTTp server might be using WordPress.
I am more intrigued in login and robots.txt directories. Let’s visit robots.txt
Alright, I think we got our first key of 3 keys and a .dic (wordlist) file. Let’s view the key using curl command.
Let’s download the fsocity.dic file and save it on our local machine.
The file size is 7 MB, it must be a huge list. If we use WC command, then we can able to get the number of words.
It’s a huge list and if you go through the list then you’d see that there are duplicate words. We need to sort them for unique words only not repeated.
As you can see from previous result, 98% of original file was repeated words. Now we have unique word list, which we can possibly use in next enumeration.
Now, let’s visit the /wp-login and find out whether it’s wordpress site or something else.
As you can see, it is an indeed a WordPress Site. Let’s run WPscan tool to find more about WordPress.
From the result, below is the version Information
Out-dated theme is running on WordPress.
No users were found on WordPress
So, basically there’s no much Information we got other than out-dated WordPress Theme. To break into WordPress we need valid credentials.
Let’s find valid username by performing wordlist attack on login page. We can do this using Hydra tool. But first we need to capture the login request from BurpSuite tool.
Now we use the captured request to enumerate the username using recently dowloaded and sorted wordlist.
Note: You have to give the right wordlist to enumerate the username and put a random password.
We got the username, now we need to crack the password using Hydra.
Fot this attack, we use previously enumerated username and provide the same wordlist to find the valid password.
Now we have the password. Let’s login using those credentials and access the outdated theme editor. Now we can upload our php shell to target and get a reverse shell.
From the following location, edit the file to your IP address (kali linux) and port address.
Once you change IP and Port address, copy the all the content of .php file and paste it in word press theme editor “404 Template'.
Once you update, then setup a netcat listener on your machine.
Then run the shell by visiting the below link.
We got the reverse shell. Now we need to get interactive shell.
Now we run some commands to find our key, but unfortunately it’s not accessible to us. However, we got a password hash of the “Robot” user.
Let’s save it in file and crack it with HashCat Tool.
We got the password of robot user, let’s login and extract the key2.
Now we need to collect the last key. For that probably we need to escalate privileges of current user to root. We can start with finding SUID permissions of files.
Out of all the executables, there’s one that shouldn't be there. It’s nmap. If we check the version, then it’s outdated.
From GTFOBins, I got the trick to escalate the privileges using nmap.
Now we have collected all the three key from target machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.