1. Start with an nmap scan of the host to find what services the box is running.
  2. Navigating to the website we see a nice cryptic Mr Robot-esq terminal screen with scripted text. Some poking around on the web application reveals that this functionality is primarily derived from Javascript. I poke around for a bit in the end but don’t really see any avenues in at this point so I run a Nikto scan which doesn’t reveal anything too interesting.
  3. Checking the robots.txt file mentioned in the Nikto scan I see the following.
  4. Navigating to https://172.16.27.140/key-1-of-3.txt reveals the first flag.
  5. Turning my attention to the fsocity.dic file I see what appears to be a large file of potential usernames or passwords.I put it aside and keep it around for later.
  6. I start to enumerate the web server some more by running a dirb scan against it to see what hidden treasures I might find. I see several wp-* folders indicating that the website is likely a WordPress back end.
  7. With WordPress identified as the back end, I run a simple wpscan to see if I can find anything interesting but nothing jumps out as being the potential issue.
  8. I attempt to enumerate the potential admin user to see if I can use the previously found fsocity.dic file as a wordlist file to try a brute force attack. The usual method of http://172.16.27.140/?author=1 unfortunately does not show up anything fruitful. The same is true for the enumerate users function of wpscan.I turn my attention to the password reset function of the wp-admin console login. I notice that when I try a non-valid username I get an error as such.

    Invalid

    The result of an invalid username when attempting a password reset.

  9. This next part is at least when a little bit of the knowledge of the show is required. I try the usual suspects of admin, root, superadmin, etc…then I try elliot and receive a different error.

    Result with a valid username

  10. I now know I have my username, though I’m not sure if it’s admin or not. I use wpscan’s brute force function, change the name of fsocity.dic (presumably the .dic stands for dictionary) to fsocity.txt just to ensure there wouldn’t be any errors, and then run my brute force attack.
  11. With a password to log into the wordpress, I log in to discover that the elliot user is an administrator. I tried a couple times to get a meterpreter shell working to no avail, so I grabbed a PHP Reverse Shell from Pentest Monkey. I put comments at the top of the PHP File to masquerade it as a wordpress plugin, zip’ed the file and uploaded it & activated the plugin.

    I set up a netcat listener on the port and once the plugin was activated it returned a shell to my listener.
  12. With the reverse shell established I provisioned a new meterpreter shell to upload to the server to make use of the additional functionality it provides.
  13. During earlier enumeration I tried to access the /phpmyadmin folder and was told it was only accessible from the local host. With a meterpreter shell in place I can set up a route to hit services that were not accessible from the external machine.

    With the route in place I can now access the restricted phpMyAdmin page by navigating to http://127.0.0.1:8181/phpmyadmin from the attacking machine.
  14. Another quick bit of enumeration reveals files in the /home/robot directory, one of which is accessible to us and the other, our second key, is not.


    An MD5 “decrypter” service online reveals that the password is simply abcdefghijklmnopqrstuvwxyz
  15. Remembering that the server was listening on TCP 21 I thought I might be able to use these credentials to log into an FTP server. There did not appear to be an FTP client available on the server, and attempting to route the traffic through a port forward prompted with a connection refused. I tried using netcat but was met with no success.
  16. The next logical step is changing my user via the su command, though I’m met with the following error.

    An easy workaround is by using the following two lines.

    Authenticated as the robot user I can now grab the second flag, located in /home/robot
  17. Running as the robot user is great, but we need to get root so it’s time to focus on privilege escalation. I downloaded the Pentest Monkey Unix-Privesc-Check¬†onto the box using wget and receive a litany of information.

    Scrolling through the warnings I see a variety of pieces of information I look into further, but the fruitful line is


    In essence it means that nmap runs under the root group. Abusing the (now deprecated) –interactive mode, we can obtain a root shell simply by launching nmap in interactive mode and then invoking the shell command.
  18. Being a part of the root group now gives me access to the /root directory. With my privileged access all that’s left to do is claim the third key and call it a day.

    All in all this was a very fun box and employed a good variety of techniques to compromise. Thanks for reading!