This is part 2 of the hacking walkthrough. Now that we have both boxes living securely in the same isolated network, we can actually get to the hacking bit.
At the end of part 1, the NMAP scan revealed three crucial details: Mr Robot box IP address is 10.150.1.11, Mr Robot box is actually a webserver and that ports 80/tcp (HTTP service) and 443/tcp (HTTPS service) are open.
So, the first thing is to have a look at Mr Robot’s website.
Ooooh, we get a little intro. Unfortunately, playing around with the commands yields no usable intel. But let’s inspect the code, shall we?
It seems that the website is hosted by WordPress and there’s a log in page. There’s also a feed called ‘Really Simple Syndication’. We can save this information for later and hopefully gain more details with a website vulnerability assessment. We can use NMAP’s http-enum script to give us an idea of what’s lurking inside the webserver:
NMAP’s http-enum found that the http and https all contain the same resources and there’s a fair amount of interesting stuff we want to check out.
Trying to check the /admin/ and /admin/index.html pages got me stuck into a loop and gave me nothing in terms of usable information.
Now, the /wp-login.php that we found from the source code and the NMAP enumeration is much more interesting. It’s actually a proper login page to a potential admin folder:
This means we can try to brute force it at some point. But for now let’s continue to explore the other pages found by the enumerator.
From the list, the readme.html caught my eye (surely, it wouldn’t be that easy, would it?). When accessing the page we get this:
Ouch!
Well, next we know it’s always worth checking the robots file (robots.txt). If we access it, it leads us here:
Oooooh, key-1-of-3.txt????! Opening it reveals the glorious first flag:
Not only that, we got some other potentially important clues as well: there’s some sort of ‘User-agent: *’ and fsocity.dic here that might prove useful in the future. But what does it all mean? We’ll try to figure it out in part 3.
Leave a Reply