Vulnhub virtual machine; OSCP prep box, tv-show themed box that offered traning on basic enumeration along with wpscan brute forcing which led to remote code execution. Upgrading via enumeration of kernel exploits left empty hands but pivoting to another user and getting “interactive” led us to root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/mr-robot-1,151/ File: mrRobot.ova (virtualbox)
Discover VM on network:
1 |
|
Target: 192.168.56.114
Enumeration
Nmap Scan:
1 |
|
Our standard line: HTTP & HTTPS web-servers along with a closed SSH.
Navigating to HTTP
very slick animations - let this education begin
same situation occurs over HTTPs. Ok, lets delve down this rabbit hole.
source:
we are not alone apparently - but on our vlan I can assure you we are.
Join -
hmm asked for an email address but I don’t have one setup on this box.
Checkout if robots.txt
exists
it does. We found our first key.
key acquired.
Moving to download fsocity.dic
moved to directory and ran file
hmm an offset with an address is a different twist.
1 |
|
we now have a large dictionary of passwords
Passwords to what is the question.
More enumeration: Dirbuster:
wp-login.php
this looks promising.
Navigating to location:
We have potiential passwords but no usernames. Our goal should be to enumerate as many usernames as possible.
wpscan
1 |
|
a few vulnerabilities but nothing is standing off the page that will enumerate users.
seeing this is a theme based VM lets refresh the memory of the characters played on the show with a quick IMDB lookup:
Back to wordpress login with an attempt of generic login
result:
well it’s returning something at least. Attempting with elliot
result:
well elliot
is a verified user on the box lets move to brute-force this login with wpscan
1 |
|
hmm we have a lot of passwords to try. I remember seeing a few duplicates in the .dic
lets prune and reattack.
Sorting duplicates in a file:
1 |
|
fsocity_sorted.dic
created with quite a bit less passwords to try.
wpsscan-brute force again:
1 |
|
we now have elliot credentials!
Login:
we are not inside wordpress. The next move would be to upload a payload. We have php pages as so if we just take one over with our php reverse shell we should be able to initiate a call back.
On the wordpress admin dashboard > Appearance > editor > insert payload under 404.php.
RCE
Setting up listener:
navigate to http://192.168.56.114/404.php
we have captured a shell.
Checking the home folder and we find key-2-of-3.txt
alongside a password.raw-md5
.
upgrade to tty:
1 |
|
attempt sudo -l
yeilds nothing without the password. Next moving to enumerate box.
1 |
|
Quick searchsploit for kernal vulnerabilies
1 |
|
priv-esc is exactly what we want.
download exploit to /dev/shm
- memory trick
compile and execute
well, that would have just been too easy. Back to enumeration…
Back to /home/robot/
to check out that password.raw-md5
lets decode:
1 |
|
thanks to: https://www.md5online.org/md5-decrypt.html
Switching user to robot
1 |
|
sudo check
1 |
|
Priv-esc/Root
Check for SUID:
1 |
|
nmap
has an suid. We can take advantage of this by prompting a “interactive”
1 |
|
we are not executing commands as root!
Since we have robots password we’ll just make him a sudoers
1 |
|
we can no call an actual shell as root
1 |
|
Bring me the root!
-exec