Mr-Robot: 1 ~ VulnHub

Mr-Robot: 1 ~ VulnHub

I've been enjoying CTFs and doing writeups a lot lately! When I saw this box online…I knew I had to have a go at it. I’ve been a die-hard fan of Mr Robot since season 1. Shoutout Sam Esmail. “Hello friend, let's get started…”


Prerequisite

  • Mr-Robot: 1
  • Preferred Penetration testing Linux distro [Kali in my case]

Drop the vulnerable machine into your preferred virtual machine software. For me, that would be VMware Workstation.

Next up, we have to configure our Virtual Network…We will do this using the Virtual Network Editor on VMware Workstation. We will be sticking to these settings as shown below

  • IP = 192.168.1.0
  • Subnet Mask = 255.255.255.0
  • DHCP = Enabled
  • Adapter Type = Host-only

Followed by that, we place our vulnerable virtual machine in that newly created virtual network by editing its network adapter as shown below. Don’t forget to do the same for your penetration testing machine too!

This picture shows the editing of the Network Adapter of the target machine

That’s it! We are off to the races ヅ

Flag 1

Now that I had my environment setup, I got started with the penetration testing!


The first step to any pentest would be reconnaissance! So I went ahead and found out the IP address of the target machine since DHCP was enabled. There are a bunch of tools that could help me with this step! The most popular tool IMO would be NMAP.

However, I used NetDiscover to get the IP address of the target machine to save me some time during port scanning later on.

[email protected]:~# netdiscover

I concluded that the IP of our target machine is 192.168.1.130 as that is the only unique IP. I then moved on to ping the machine to verify that its up and running.

This is optional but just to make things a lil easier for us in the future, I added an entry in my /etc/hosts file for easier access to the target.

Now that I have the IP I moved onto enumerating the system using the Nmap tool.

[email protected]:~# nmap -A -p- mr.robot

From this, I could tell a couple of ports were open on the machine and they had some services running on them. Moreover, I could infer that this was a Linux box. Since port 80 was open and had Apache HTTPD running, I went to access it.

I was given some commands on this page to enter so I naturally entered them to see what they did. After some tries, I figured out that there were just related to the show and not really the CTF. This got me thinking and I went about my usual web pen testing methodology. I first started looking through the source and then I looked at the robots.txt. In there I found 2 entries.

  • fsocity.dic
  • key1-of-3.txt

The first one was a dictionary file of some sort and the second one was the first key sitting there waiting it to be collected by me :) I tried opening that file in the root web directory and I managed to get it.

Flag 1— 073403c8a58a1f80d943455fb30724b9

Flag 2

For the next phase of the pen test, I decided to scan the webserver with tools like dirb and nikto

[email protected]:~# dirb http://mr.robot
[email protected]:~# nikto -h http://mr.robot

Both these scans pointed me towards the WordPress directory. It looks like this webserver has WordPress installed and running. Thus, I headed to the WordPress login page.

This reminded me of the dictionary file that I discovered from the robots.txt earlier on. I thought maybe I can make use of the dictionary file and brute force my way into the WordPress admin panel. After some research, I found out that I could use hydra to try and brute force a valid username.

I modified the command to fit my scenario as such. We needed to iterate through the dictionary file for the usernames, enter the same password for each iteration and lastly, only show success if the entered username is right.

[email protected]:~/Desktop#  hydra -L fsocity.dic -p 1234 mr.robot -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid'

We have successfully identified the username as “Elliot”. I should’ve seen this coming a mile away 😂. If u watch the show I’m sure you’d know too.

Next, I needed to try brute-forcing the password from the dictionary file. I decided to use a similar command to do so.

[email protected]:~/Desktop#  hydra -L fsocity.dic -p 1234 mr.robot -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid'

After some time, I figured that it was taking too long and I decided to switch to another tool called WPScan. Also, while inspecting the wordlist, I found out that there were a lot of duplicates in the wordlist. Thus, I decided to sort the contents in the wordlist by unique terms and add them to a new file.

[email protected]:~/Desktop# sort fsocity.dic | uniq > refinedlist.dic

After refining the wordlist, I moved onto brute-forcing the credentials with the help of WPScan. For that, I used the following command.

[email protected]:~/Desktop# wpscan — url http://mr.robot/wp-login — usernames Elliot -P refinedlist.dic

After a couple of minutes, the scan ended and I successfully got the valid password. “Hey Elliot” 😏

  • Username = Elliot
  • Password = ER28–0652

We are in!! After some analysis, I found out that I was able to add my own plugins via this account and it was running WordPress version 4.3.1. Couple google searches later, I found this exploit that worked on this site. I exploited the “edit code” function to replace the existing code with my php reverse shell code. So when I access the link, I'll get a reverse shell directly to my Kali machine.

After I hit update, I set up a netcat listener on my kali machine to receive the incoming connection from the webserver. After accessing the php reverse shell, I got a successful connection to the server and had minimal level user access [daemon]

After digging around the filesystem for a while, I managed to find the file which contained the 2nd flag but was not able to open them due to insufficient permissions. There was also another file in the same directory with a username and a password of another account called “Robot”. It had the filename ”password.raw-md5”.

The title gave away the hash type so I went ahead and used john and the default wordlist in kali to try and crack the password. I used the following command to do so.

john — format=raw-md5 — wordlist=/usr/share/wordlists/rockyou.txt passhash

Now that I got into the robot account, I tried going to the home directory and viewing the second key. I was able to successfully get the 2nd key :)

Flag 2— 822c73956184f694993bede3eb39f959

Flag 3

I was thinking of all the privilege escalation methods that I knew. I remembered that I recently read up on escalating privileges using applications that have the SUID set on it. What that means is basically the application will run with the permissions of the root user. This is exactly what I needed! I recently found out that certain Nmap versions allowed for this to happen. Thus, I immediately went to check if the version of Nmap installed on the machine was vulnerable to this exploit. Lucky for me :) This version of Nmap had the vulnerability.

I immediately got to work. The Nmap interactive mode was the reason this exploit was possible. So, I launched Nmap in interactive mode and got started. After I got into Nmap, I enabled the interactive mode and tried the “!sh” command. Boom! I gained root access into the machine! Here are the steps:

[email protected]:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
whoami
root

Flag 3— 04787ddef27c3dee1ee161b21670b4e4


And...that was it! The final flag :)