Hello there, I'm here again with another great vulnhub machine.
This time we'll learn a few basic techniques with the nostalgic Mr Robot Vulnhub machine!
If you would like to see the POC video watch it below. If you don't like spoilers too fast, read on.
Overview: Methodology
The steps to compromise this machine were simple: I started with enumerating directories and services. By using directory fuzzing, we obtained the 1st key as well as a dictionary file which was used to bruteforce passwords. After enumerating and bruteforcing our access to the web application, we obtained access by uploading a reverse shell and accessing our 2nd key for this challenge. Lastly, I proceeded with the privilege escalation phase to obtain the last key.
Set-up: VM Network Settings and IP Assignment
We go to the site and download the image. Verify the checksum and proceed to importing it to our Virtual software of choice. For this exercise, I've used VirtualBox, but you can use any as long they support the .ova extension.
After setting our VM Network Settings to Bridge, we conduct an ifconfig to determine what our network IP/Range is and then we scan our network by range to find the VM with:
netdiscover -r [ip/subnet]
Reconnaissance: enumerating and scanning
Once we have the IP Address of our VM, we proceed with the enumeration so we use a few tools for this:
nmap: enumerate ports (80, 443 found to be open)
nikto: look for misconfiguration and low hanging fruits, compromising directories.
dirbuster: maps directories containing juicy data/admin portals, etc.
After looking at nikto and dirbuster results, we don't only found out the server's Wordpress site version but also the admin portal located in: /wp-login.php:
After looking at the robots.txt file, we find our 1st key along with a dictionary file to download:
Looking at the dictionary file, we can see that there are duplicate entries, so we open it with Sublime Text -> Edit -> Permute Lines -> Unique and we obtain a fresh non-duplicate copy. We save it as a new file and proceed with enumerating usernames. Easy process, moving along...
In the /wp-login.php page, we grab the login post parameters with Burp Suite and proceed to brute-force the username with Hydra:
hydra -L [location-of-dictionary-file] -p unknownPassword [ip-address] http-form-post "/wp-login.php:log=^USER^&^pwd=^PASS^:invalid"
We can see that the same username has been found but case sensitive: elliot, Elliot and ELLIOT.
Now that we know the username, we can use wpscan to bruteforce the password with the unique dictionary file we downloaded from the robots.txt file:
sudo wpscan --url 192.168.2.10 --wordlist /home/vicio/Labs/Vulnhubs/MrRobot/fsocity_unique.dic --username ELLIOT
We can see the password obtained for the elliot, ELLIOT or Elliot username.
Access: Using credentials and obtain reverse shell
We enter the credentials obtained with Hydra and WPScan to the WP Portal:
We then navigate to the "Appearance" -> Editor Section and in the right-hand sidebar, we click on the 404 Template. From here, we can upload our own or a custom PHP reverse shell to gain access to the box. I used the PentestMonkey's reverse shell and changed the settings to fit my needs (IP and port number):
Now, the only thing we need to do is to set up a listener to our machine (in this case on 192.168.2.8 on port 7777) and navigate a non-existing page in Wordpress and we'll get shell access.
We can now spawn a bash shell with Python and proceed to read our next key:
As you can see, even though we obtained access to the box, we still need to access as "robot", the regular user to read its key. We can see the hashed key but not the key-2-of-3.txt file. As the file name states, the file in which the credentials are stored (robot:c3fcd3d76192....) contains a MD5 password, which needs to be cracked. Our fastest way is to see if it has been cracked already and publicly disclosed in the Crack Station website.
Password has been cracked before so now we have to copy and paste it in our shell to get user access:
Post Exploitation: Privilege Escalation
From here, we do a search for the entire system (find /) for SUID permissions (-perm /u=s) and discard any error messages (stderr) (2>/dev/null) to clean our results.
Here, we can see that nmap has its permissions to be accessed with a regular user, in this case robot user. When we check for its version, it shows 3.81.
By doing a little research on this version, we can see not only that it's outdated but also that interactive mode is enabled on it since it was later removed due to performance issues. We give it a go and sure it executes. We try help and we find the ability to execute commands as root. Please, tell me you're seeing this too!
From here, it's a walk in the park. We just concatenate the key file contents within /root/ and to obtain our last key:
=FIN=