Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

  • Find the three hidden keys.

  • Gain initial access to the machine.

  • Escalate privileges to root.

Reconnaissance

We start by scanning for open ports with Nmap:

nmap -Pn -sCV -F -T5 <ip_victim>

The scan reveals:

  • Port 22 (SSH) - closed.

  • Port 80 (HTTP) - open.

  • Port 443 (HTTPS) - open.

Let's focus on port 80 first. Browsing to http://<ip_victim> brings up what looks like a puzzle or game. Time to start digging.

Gaining a Shell

After some exploration, we check for a robots.txt file:

http://<ip_victim>/robots.txt

Inside, we find two interesting entries:

  • A file called fsocity.dic β€” a wordlist.

  • The first key!

Given the presence of a wordlist, it hints at potential password brute-forcing. To find a target for brute-forcing, let's enumerate directories with Dirbuster or similar tools.

Quickly, we discover this is a WordPress site (wp-login.php present).

Now, let's try enumerating WordPress users with wpscan:

wpscan --url http://<ip_victim> --enumerate u

Surprisingly, no luck.

Observation: When entering random credentials in the login form, it shows different error messages depending on the username β€” meaning valid usernames can be discovered this way.

By trying names manually (admin, root, mrrobot, fsociety...), entering Elliot triggers a different error.

Thus, we refine our brute-force:

wpscan --url http://<ip_victim>/ --usernames Elliot --passwords fsocity.dic

Or using Hydra:

hydra -l Elliot -P fsocity.dic <ip_victim> http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username" -t 30 -VV

Eventually, we find the password:

  • Elliot : ER*******

Now authenticated, let's log into the WordPress admin panel!

Navigating to Appearance > Theme Editor, we find 404.php. Classic move: let's replace it with a reverse shell payload from Pentestmonkey, adapting it with our IP and port.

Start a listener:

nc -lvnp 7777

Then, trigger the shell by visiting any non-existent page.

Boom β€” reverse shell obtained!

To upgrade the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

Inside the system, searching /home/robot/, we find the second key β€” but cannot read it yet.

However, a file password.raw-md5 is accessible. It contains an MD5 hash.

Cracking the hash via CrackStation gives the password.

Switching to user robot:

su robot

With this, the second key is retrieved!

Now for root access.

Checking binaries with the SUID bit:

find / -type f -perm -04000 -ls 2>/dev/null

We spot nmap with SUID permissions!

Upon checking its version (nmap --version), it's 3.81 β€” vulnerable to execution tricks.

Following GTFOBins instructions:

nmap --interactive
!sh

Root shell achieved.

Searching through the filesystem, the third and final key is found.

Mission accomplished!

Result

First key: Found via robots.txt Second key: Found under /home/robot/ after switching user Third key: Found after privilege escalation using vulnerable SUID nmap

PreviousMr RobotNextTechnical Report

Last updated