Mr Robot (Tryhackme) Room Walkthrough By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Mr Robot.
Now first of all we will navigate to the Room URL and join it.
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -T4 -A 10.10.127.12
Now we can see that 3 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.
We then searched if the webserver has a robots.txt file and found one.
From the robots.txt we see that there is a text file named key-1-of-3.txt on the server . Which means it’s the first of the three keys which we are looking for.
Lets open this text file on the browser and get the first key .
After getting the first key, we then opened the next directory given in the robots.txt file — fsociety.dic
From this webpage we got a downloadable file which on opening we found that it is some type of wordlist.
We go to the main website and found no info of use . So we have to use gobuster to see additional hidden directories and see if we can gather some info from.
gobuster dir -u http://10.10.127.12/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100
From the gobuster search we found a login webpage on the server . But we don’t have any credentials to login.
So what we can do is make use of the wordlist we previously downloaded and try to crack the username and password from it .
We will use burpsuite to crack the username and password for the webpage.
We first sent the webpage to the intruder. Then cleared every variable and added the username variable only and launched the sniper attack with the fsociety.dic wordlist we downloaded earlier.
Adding the Username Variable .
Setting Payload as fsociety.dic wordlist.
Starting the attack and getting the cracked username as Elliot. We can see this as the length of the elliot message is different than the rest in the burpsuite webpage returned.
Now we will redo the same strategy for password with Elliot as username .
Now after running the attack and waiting for some time we found the password eventually.
Now the credentials we have collected are
Username : Elliot
Password : ER28–0653.
Lets use these credentials to login into the webpage see what information is present there.
We were successfully able to login into the webpage with the credentials.
Searching for any way inside the machine we found an Editor in which we can run code on the server and if we can use this editor to run a PHP reverse shell and get a shell back on our listner , then it will be great .
We started a listener on port 4444 on our kali machine.
nc -lnvp 4444
Lets paste the PHP reverse shell code into the editor and see whether we get a shell back or not.
We copied the php reverse shell from pentest monkey and pasted it in the editor and uploaded it .
We then opened the webpage in which we pasted our php-reverse shell and it ran our php reverse shell .
Due to this we ended up getting a shell back on our listener.
Inside home directory we found a user named robot which contained 2 files
Second Key and password file in MD5 format.
We now have to crack the md5 password online to get the password for user robot.
We used the following website to crack the hash into string
We got a string : abcdefghijklmnopqrstuvwxyz
We then escalate our privilege to user robot using the credentials
Username : robot
Password : abcdefghijklmnopqrstuvwxyz
To change user to robot we used the switch user command
After login into robot we entered the robot home directory and got the second key.
Now lets escalate our privilege to root to get the third and final key.
We searched sudo permissions for user robot but the user doesn’t have any sudo permissions .
We then saw what suid permissions assigned to them. And we found a lot of tools using suid permissions .
find / -user root -perm -4000 -print 2>/dev/null
We can exploit this vulnerability to escalate our privilege to root.
We exploit the suid permission assigned to tool nmap with the help of website GTFO bins .
nmap — interactive
Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!