Vulnhub Mr Robot Walkthrough

Before we begin we should see Mr Robot series … just kidding but I saw it and I know mr root name which I used it for this host

Lets start Scanning the host with nmap :

Nmap –A –T4 –p-  –v

Dirb gave us a lot of results :

What is interesting is the robots.txt file

Opening the key-1-of-3.txt gave us a MD5 hash :  073403c8a58a1f80d943455fb30724b9

The other file is fsocity.dic  is a dictionary file with big password list

Nikto shows that the host is running WordPress service

So now we can use WPSCAN with the word list we found, I used mrrobot as username but nothing came up then I used Elliot as the user name and it came with a password , the file is too big so lets reduce it a lil:

sort fsocity.dic | uniq > pass.txt

wpscan –url -P  /root/Downloads/pass.txt -U elliot -t 100

now lets try logging to the WordPress page using these credentials:now lets try logging to the WordPress page using these credentials:

Now we can use metasploit and upload a shell to the host :

We going to use exploit unix/webapp/wp_admin_shell_upload

And set the WPCHECK false or it wont work (had to google it to figure it out)

Viewing the password.raw-md5 we get a MD5 hash decoding it will give us :abcdefghijklmnopqrstuvwxyz

After we escape the sell by echo “import pty; pty.spawn(‘/bin/bash’)”  we need to su – robot  to switch to robot account and use the password we got

And then we can now view the other file key-2-0f-3.txt

We got a new hash and its useless

It took some time with privilege escalation till I found that the system is using namp and I can run it as nmap –interactive

And then simply !sh

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s