Step 1 : Connect to TryHackMe and start target machine
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘Mr. Robot’ room — target ip address will be displayed in a minute.
https://tryhackme.com/room/mrrobot
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
Open ports:
22 : SSH
80 : http
443 : https
- Accessing port 80 http
2. Accessing source code > Found a message ‘You are not alone’
3. Viewing robots.txt > Found 1st flag ‘key-1-of-3.txt’ and a user dictionary
4. Download and save ‘fsocity.dic’. Trying dirbuster to find directories and files, found ‘login’ page.
5. Navigating to /login/, now trying to use burp suite intercept
6. Capture request in burp suite and forward request to intruder tab.
7. Select sniper attack type, Select the username and password as parameter
8. Load fsocity-1.dic dictionary as data input for username, start the attack.
9. Found user name, now find password with same dictionary file
10 . Password found
11. Login with found username and password to wp-login page as the site is based on wordpress
12. Search for page where php-reverse shell can be uploaded to get reverse shell.
Found 404.php > updated php-reverse-shell here
13. Start listener nc on kali machine, and browse the updated template page in browser.
nc -nlvp 4444
Found password
Try to spawn shell:
python -c ‘import pty; pty.spawn(“/bin/sh”)’ python -c ‘import pty; pty.spawn(“/bin/sh”)’
14. Found 2nd flag!
su robot
15. Escalate privileges and search for 3rd flag!
Search for users privilege permission:
find / -perm /4000 -type f 2>/tmp/2
Got root access
nmap — — interactive
15. Found 3rd flag
With these steps, I was able to answer all questions posted in Mr. robot room on TryHackMe.
Thank you for reading this blog..
