Third Boot2Root Mr.Robot
Hello Folks!
Link to Box :-https://www.vulnhub.com/entry/mr-robot-1,151/
Rating:- Beginner-Intermediate
Time :- 2 hours (Majorly because of brute force)
Welcome to the Third Boot2Root, we start the box, do a arp-scan -l to find out what IP is the box running on, to nmap scan we found out this .
so we have a open port 80 without wasting much time lets get to it, this is how it looks gotta admin AMAZING visuals
http://192.168.0.100/fsocity.dic which is a dictionary file,maybe we can use it for bruteforcing let's save it
So we get an MD5 hash lets try to break this up, link for the decryptor :-
http://md5decrypt.net
so now we have a username and password we can try "su robot" with robot:abcdefghijklmnopqrstuvwxyz
but to "su robot" we need to spawn a shell we can do it by
Once you spawn a shell we can do this to get inside
YAY Flag 2: 822c73956184f694993bede3eb39f959
So once we got inside I enumerated further to find a nmap and we can use nmap to spawn a root shell and get the final flag!
and the final FLAG is :04787ddef27c3dee1ee161b21670b4e4
So that's it for the day!
Thank You!!
Link to Box :-https://www.vulnhub.com/entry/mr-robot-1,151/
Rating:- Beginner-Intermediate
Time :- 2 hours (Majorly because of brute force)
Welcome to the Third Boot2Root, we start the box, do a arp-scan -l to find out what IP is the box running on, to nmap scan we found out this .
so we have a open port 80 without wasting much time lets get to it, this is how it looks gotta admin AMAZING visuals
After watching all the pages nothing interesting strike up to me so, i followed the very basic step always check for "Robots.txt" and found this
So we came up with the first flag already?
Flag one :- 073403c8a58a1f80d943455fb30724b9
and second link is http://192.168.0.100/fsocity.dic which is a dictionary file,maybe we can use it for bruteforcing let's save it
so without wasting much time i head to running a dirb http://192.168.0.100 and came up with tons of link but i luckily saw "Admin" and it was a WP - page.
so no brainer step here let's start with WP-scan to see if we can find any users?
Unfortunately can't find any users so it's the time to use the file we got from the first page and try to bruteforce some username?
I used hydra for this purpose
I feed in the password as "idontknow" because for now i am interested in finding valid usernames only you can feed in whatever you like, so the username is :Elliot, let's use hydra again against this username to see if we can find any Password from the list?
There we go Elliot:ER28-0652
so we are inside the page now we just need to put in the reverse shell and "nc -lvnp <PORT>" it to get a session.
Link to the shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell
So let's change the IP address and put this file in Appearance > Editor > Footer.php
and we visit the http://192.168.0.106/admin/blog
and we get a session on the nc listener
http://md5decrypt.net
so now we have a username and password we can try "su robot" with robot:abcdefghijklmnopqrstuvwxyz
but to "su robot" we need to spawn a shell we can do it by
Once you spawn a shell we can do this to get inside
YAY Flag 2: 822c73956184f694993bede3eb39f959
So once we got inside I enumerated further to find a nmap and we can use nmap to spawn a root shell and get the final flag!
and the final FLAG is :04787ddef27c3dee1ee161b21670b4e4
So that's it for the day!
Thank You!!
Comments
Post a Comment