This is a Mr.Robot challenge from vulnhub.com. You can obtain the virtual machine from: here
First lets find the target in our network:
Our target machine is 10.0.0.135, lets run nmap scan on it:
Nothing interesting just web server, and close ssh port 22. Browse the target and run nikto on the web server.
The site is wordpress. The interesting things are in red.
Spidering the site from Owasp Zap and found robots.txt:
We are able to locate the first of three keys :)
Exploring after nikto scan, and in license.txt we found some encrypt text, thanks to firebug. The text was hidden on the bottom of the page after long blank space.
Run the encrypted text through HashID but I can't determine it's type. Then I decide to try it in Owasp Zap, and decrypt it as base64:
This is the username:password. I tried to log in with this credentials and this is the result:
We are successfully log in to the admin panel. Now I think about how to upload reverse shell. We know that WordPress is Php based, so I decide to upload php reverse shell in the footer of the theme:
Catching the reverse shell with ncat and we are daemon on the target machine:
After looking around I locate the second key. But we weren't able to read it because of permissions.
Let's try to crack the freshly found md5 hash. I didn't want to fire up John for this, so i ended up looking online at crackstation for decrypt it. The password is the alphabet.
Now I try to log in as SU but my shell didn't allow me to do that, perhaps i need to spawn /bin/bash:
So i upgrade the shell with this python script, and log in successfully as robot user:
Now we can read the second key:
I can't find the last key for now ... Probably i will need root access to the target machine, but for now didn't find a way to obtain it.