I managed to fork out some time to do the latest few VMs on Vulnhub.
As written on the description, Mr-Robot: 1 consists of 3 keys as the objective.
We will proceed to discover the content of the 3 keys in this VM challenge.
Starting off my enumeration with nmap… (all 65535 TCP ports)
Nice. I like it when the attack vector is straight-forward.
Following up with –script=http-enum on both port 80 and 443.
The robots.txt entries consists of the first key, as well as a dictionary file.
(word-list = brute-force)
*** FIRST DISCOVERED KEY ***
I downloaded the dictionary word-list as well to my machine.
Next, I ran WPScan on it.
Okay, time to make use of the dictionary file downloaded. (common sense)
Mich05654’s credential discovered. I then continued to log in as him on the WordPress site. It appears that he is only a normal user. (unable to edit and backdoor php pages)
Next, I attempted brute-force on the second user, Elliot.
I gave up after 28 minutes of waiting. (while Youtube-ing)
Something is not right…
It appears that the downloaded word-list is quite huge, and contains duplicate entries… (f*cking troll)
I then created a uniq-fsocity.txt which should only contain unique entries.
BOOM. 1 minute 15 seconds, job done.
Next, I log in as Elliot on the WordPress site. Elliot is the administrator of the WordPress site. I am now able to edit whatever I want. (PHP reverse shell~)
Time to roll~
I went on to get a copy of php-reverse-shell conveniently located in our /usr/share/webshells/php directory.
Edited the 404.php with our reverse shell, and boom. We’re in.
Remember to set up a listener first!
Focusing on the objective… (3 keys)
Our second key is located in the user, Robot’s home directory.
Let’s recursively see what we got in /home
Nice password, Robot.
*** SECOND DISCOVERED KEY ***
One more key to go.
Obviously the final key should be in the /root directory. I am unable to verify though, since I don’t have the privilege access to read the /root directory.
Let’s proceed to escalate our privilege to root!
Hah??? The moment I spotted this entry /usr/local/bin/nmap I knew I am golden.
(I escalated my privilege before, using this path in my OSCP lab)
*** THIRD DISCOVERED KEY ***
Heheh. that’s about all folks!
Since the objective for this VM was to discover all the 3 keys, I did not bother to try other way of privilege escalation.