Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
Having ports 80 and 443 indicates we have a website running, so we open
https://10.10.24.7 on your browser.
The website is Mr. Robot themed website after running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.
So now we know it is a website, so we should enumerate the directories by performing a gobuster scan and follow the basic enumeration like viewing the robots.txt page if it’s available or not.
Now we’ll be employing a tool called gobuster, which uses an existing wordlist of possible common directories name and can attempt to load every directory name therein wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster).
Now lets check the directories which returned a status code 200.
So, here in the license directory, we got some base64 encoded string lets to decode it and see what we get.
These could be the login credentials of the wp-admin page but before testing that we should look at the robots.txt file as it might contain some valuable information.
Here as we can see the robots.txt file contains tons of valuable information. It has some dictionary named fsocity.dic and the first flag i.e key-1-of-3.txt. So let’s goto these directories and download the dictionary as if in some case we got the username and password incorrect we could do a dictionary attack on the login page with the help of hydra.
Now let’s go to the login page and enter the credentials we found earlier in the license directory.
After entering the credentials we got to know that it is a WordPress website version 4.3.1, now generally in these scenarios we generally try to upload a reverse shell, we will upload pentester monkey’s PHP reverse shell in Appearance
→ Editor and then select 404.php on the right.
You just have to change the IP address to your IP address and any port that you desire.
You can see your IP address with the help of ifconfig command there in tun0 your IP address will be marked.
Now after changing the IP address and port no. paste your script in the edit section of 404.php
Now save the template and open netcat to listen the port 9999 in my case by firing the command in the terminal.
nc -nlvp 9999
Now either visit the 404.php or curl it using the terminal to receive the reverse shell.
Now see the netcat connection for the reverse shell must have been executed.
As you can see here we need to be user robot to see the key-2-of-3.txt file but we can still se the password.raw.md5 file, So let’s do that
Now we know that it is an MD5 hash, let’s try to decode it using a website named crackstation.
After getting the password for the user robot now let’s try to switch the user.
Switching user to robot
Now, to capture the 3rd flag we need to upgrade from user to root for this we need to figure out which programs have SUID of at least 4000.
The logic is that Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques do not work if you don’t run it with root privilege.
However, there is a functionality in Nmap older versions where you can run Nmap in an interactive mode which allows you to escape to the shell. If Nmap has SUID bit set, it will run with root privilege and we can get access to the ‘root’ shell through its interactive mode.
Personal conclusion over tryhackme
Personally, I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. I would try to upload writeups of rooms that I found interesting but for now, I hope you also learned something from this writeup.