Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
URL: Mr Robot
Author: Leon Johnson
Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).
netdiscover -i eth1
We can identify the machine with the IP 192.168.56.117, so we will scan it for open ports with nmap to a file named “nmap” with the following command:
nmap -sS -p- -A -o "nmap" 192.168.56.119
To start, port 80 is open so we will investigate this port with a browser.
This seems to be some type of fancy terminal on the web page. The “help” command shows a few different options, each section has a reference to the TV show Mr Robot
A closer look at the web page source reveals Wordpress running.
Let’s run a Wordpress scan with WPScan. Please note, the newer version requires an API key you can get for free on their website.
wpscan --url http://192.168.56.119/ -e u,vp,vt
According to the results, there is a robots.txt file:
75 Wordpress vulnerabilities have been identified:
And no users have been found:
The robots.txt (not a Mr Robot reference) is always a good place to start, this indicates paths that they want to remain hidden.
Going to this directory on the web directory:
There are 2 paths:
Let’s visit the fsociet.dic:
This seems to be a large wordlist. This could be used to crack a password later on.
And visiting the other path from robots.txt gives us this:
This seems to be our first key or flag for this machine.
Let’s do some more enumeration. I ran a dirb scan to find any more directories we haven’t come across. This was the following command:
Got loads of results from this. I visited all of them but the majority seem to be rabbit holes or irrelevant files for the website. There was a couple of files to note:
/readme: Wasn’t important but I wanted to share this anyway.
We have our Wordpress login. I want to try and brute this login, however, I do not have a username to brute against.
Thanks to Wordpress, we can tell if we are using the correct username when attempting to log in. This is what happens when I entered a wrong username:
The failed message indicates the username is unknown, so we can use a tool like hydra to spot a different failure message to find the correct username.
Let’s use the dictionary from before. There seem to be a lot of duplicates so let’s filter these out. We’ll use sort to do this.
sort fsocity.dic | uniq > new.dic
I also used the following command to count the lines of a file:
The line count has gone from 858160 to 11451. Let’s use this new file “new.dic” to find a username.
Let’s set up in order to brute-force the login.
You can find more information about password cracking on this article.
Get the HTTP request:
- Set up a proxy
- Open up Burp Suite, the intercept should be on.
- Enter a random username and password on the website login page, Burp Suite should capture the request. Send this to the intruder and clear variables (right-click > sent to int > clear §)
- Take note of this request. You can turn off the proxy and intercept now.
Now we can use hydra to test out a bunch of usernames against the login. This is the hydra command:
hydra -vV -L new.dic -p somepassword 192.168.56.119 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
Here is a breakdown of the command above:
-vV verbose, -L dictionary, -p irrelevant password, host, brute with post form, ‘login page : POST parameters to send USER PASS are the variables : F= failed message’
Execute this command. After a few minutes I get the following result:
We have identified “elliot” as a username.
Now let’s attempt a password with this username but a different failed attempt message. This is the web page response when I enter the correct username and an incorrect password.
We have the following failed attempt message:
ERROR: The password you entered for the username Elliot is incorrect
Now let’s do the same method of bruting for the password. This is the new hydra command:
hydra -vV -P new.dic -l elliot 192.168.56.119 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password'
Notice how we are now using our username with -l elliot, and the dictionary for our password now with -P new.dic. We have also changed the failed message, I just shortened it to “The password”.
Running this command gives the following result:
login: elliot password: ER28-0652
Great. We have some credentials, so we now have authenticated access. We can now exploit this, aiming for some kind of reverse shell.
A pretty straight forward method of getting a reverse shell with Wordpress is by uploading a php reverse shell file. I learnt this with another Wordpress machine I recently completed.
You can read more about reverse shells here.
If you’re working from a Kali Linux machine, there are some pre-made web shells in the following directory:
Use the following command to copy a php reverse shell to your current directory:
cp /usr/share/webshells/php/php-reverse-shell.php .
Edit the file and add your local IP and port 4444.
I tried uploading the php file to the website however Wordpress blocks any attempt to upload php files. Another method is to upload the code to an already existing php file.
Go to the editor section on Wordpress and edit the 404.php code.
Now the payload is ready, set up a netcat listener to listen on your specified port.
netcat -nvlp 4444
Now that everything is set up, visit the modified 404.php page.
We got a shell.
First things first, I went to visit the /home directory to see who is on the system. There is a user called robot with a couple of files. I was unable to see the contents of the key file but I was able to see what was inside “password.raw-md5”.
ls -la cd /home/robot ls cat key-2-of-3.txt cat password.raw-md5
A quick search of this hash on google gave me the original plain text. This is the website that came up:
Let’s try and change the user to robot with this password that we found in his home directory. Make sure the shell is upgraded to fully interactive TTY, otherwise the command will not work.
python -c 'import pty; pty.spawn("/bin/bash")' su robot
We have successfully logged in a Robot, and we can also view the second key.
Now that we have a lower privileged user, we are aiming to escalate this for sudo rights in order to have complete ownership of the system.
Let’s firstly check for SUID. SUID is essentially a way to run a command as another user using any services running on the unix-like operating system. We can use these to elevate our current rights on the system.
This following command checks for all the SUID binaries on the system:
find / -user root -perm -4000 -print 2>/dev/null
If you are interested in another machine where SUID exploitation is needed, look at my other writeup on ByteSec - another Vulnhub machine.
When analysing these binaries, it’s good to have a list of native binaries. Here is a list:
ping ping6 passwd sudo chfn apring gpasswd chsh chfn mount sudo su umount mount newgrp pppd
We can identify NMAP as a non-native SUID. We need to investigate this further. I researched how to exploit NMAP SUID binary. This is the website I used:
Firstly, let’s get an interactive NMAP shell with the following command:
And now we can run the next command for elevated privileges:
And we have root! Nice and simple SUID exploitation for elevating rights. The last flag should be in /root: