MrRobot,a Linux box is created by user ben, was a easy box.The Initial scan show that
robots.txt. which show the first key and
fsocity.dic and using that and username
elliot we get access to word-press,using which we can get a shell.Cracking the md5 hash we can su as
robot user and grab second key. Privilege Escalation was using
nmap suid binary we can get a shell as root.
# Nmap 7.80 scan initiated Thu Apr 30 21:55:50 2020 as: nmap -sC -sV -oN nmap/mrrobot 10.10.130.158
Visiting http://10.10.130.158/robots.txt shows the first key path as
Cracking the password with user
elliot (This was a guess based on the box name) we get the password as
Low Privilege Shell
Using the appearance we can change the code of any page so i edited
404.php and placed a pentestmoney php-code to get a shell as
From the User
robot home directory we can see there is a
password.raw-md5 which we can read
daemon@linux:/home/robot$ cat password.raw-md5
Cracking the hash
using that we can
robot and can read key-2-of-3.txt
robot@linux:~$ cat key-2-of-3.txt
we see the kernel is vulnerable to exploit.
Lets try to see if we have some other easier way to Privilege Escalate.
we also see
has SUID bit set lets check gtfobins to see how to get a shell using
we see we can get a shell using
but the nmap version installed doesn’t support –script but we see an interesting flag as
using which we can get a shell as
# uname -a;id;hostname
and we can grab
# cat key-3-of-3.txt
And we have pwned this box.
Questions to Answer
What is key 1?
What is key 2?
What is key 3?