Vulnhub virtual machine; OSCP prep box, tv-show themed box that offered traning on basic enumeration along with wpscan brute forcing which led to remote code execution. Upgrading via enumeration of kernel exploits left empty hands but pivoting to another user and getting “interactive” led us to root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/mr-robot-1,151/ File: mrRobot.ova (virtualbox)
Discover VM on network:
Our standard line: HTTP & HTTPS web-servers along with a closed SSH.
Navigating to HTTP
very slick animations - let this education begin
same situation occurs over HTTPs. Ok, lets delve down this rabbit hole.
we are not alone apparently - but on our vlan I can assure you we are.
hmm asked for an email address but I don’t have one setup on this box.
it does. We found our first key.
Moving to download
moved to directory and ran file
hmm an offset with an address is a different twist.
we now have a large dictionary of passwords
Passwords to what is the question.
More enumeration: Dirbuster:
wp-login.php this looks promising.
Navigating to location:
We have potiential passwords but no usernames. Our goal should be to enumerate as many usernames as possible.
a few vulnerabilities but nothing is standing off the page that will enumerate users.
seeing this is a theme based VM lets refresh the memory of the characters played on the show with a quick IMDB lookup:
Back to wordpress login with an attempt of generic login
well it’s returning something at least. Attempting with elliot
elliot is a verified user on the box lets move to brute-force this login with wpscan
hmm we have a lot of passwords to try. I remember seeing a few duplicates in the
.dic lets prune and reattack.
Sorting duplicates in a file:
fsocity_sorted.dic created with quite a bit less passwords to try.
wpsscan-brute force again:
we now have elliot credentials!
we are not inside wordpress. The next move would be to upload a payload. We have php pages as so if we just take one over with our php reverse shell we should be able to initiate a call back.
On the wordpress admin dashboard > Appearance > editor > insert payload under 404.php.
Setting up listener:
we have captured a shell.
Checking the home folder and we find
key-2-of-3.txt alongside a
upgrade to tty:
yeilds nothing without the password. Next moving to enumerate box.
Quick searchsploit for kernal vulnerabilies
priv-esc is exactly what we want.
download exploit to
/dev/shm - memory trick
compile and execute
well, that would have just been too easy. Back to enumeration…
/home/robot/ to check out that password.raw-md5
thanks to: https://www.md5online.org/md5-decrypt.html
Switching user to
Check for SUID:
nmap has an suid. We can take advantage of this by prompting a “interactive”
we are not executing commands as root!
Since we have robots password we’ll just make him a sudoers
we can no call an actual shell as root
Bring me the root!