MR-ROBOT
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Mr-Robot.
- According to the description provided by the authors of Mr-Robot there are 3 keys or flags to be found:
- Mr-Robot can be downloaded from here:
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Using netdiscover to find the IP that corresponds to the vulnerable machine Mr-Robot:
- Scanning with Nmap:
- Scanning with nikto we find a lot of information:
- After reading nikto output we learn that a WordPress page is running with a login PHP script, and also some other pages interesting to be studied.
- Connecting to the website:
- Having a look to the source:
- Checking the wp-login.php page:
- When trying to connect to the admin page it hangs up:
- Visiting wp-links-opml.php we learn that the website is running the version WordPress/4.3.16, what is outdated:
3 - EXPLOITATION
3.1 - robots.txt
- Also, robots.txt gives us key information to start the exploitation process:
- Opening key-1-of-3.txt we find the 1st key:
3.1 - robots.txt
- Also, robots.txt gives us key information to start the exploitation process:
- Opening key-1-of-3.txt we find the 1st key:
3.2 - Dictionary fsocity.dic
- Going to fsocity.dic and saving it for further study
- Copying to a working directory:
- Opening with cat we find a very long file text composed of a lot of lines what seem part of a dictionary:
......
......
- The first 10 lines:
- Counting the lines there are 858160, so no doubt this is a very complex file to be handled:
- How many of the 858160 lines are unique? Just 11451, so removing the repeated lines would make it easier to deal with the file:
- Let's create a new file ufsocity.dic that contains only the non repeated lines of the original text file:
- Now, the file ufsocity.dic can be used for exploitation purposes as a brute force dictionary or wordlist.
3.3 - Dictionary attack with Hydra
- Hydra and ufsocity.dic help to perform a dictionary attack against the login page.
- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:
- As expected there is an error message Invalid username:
- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:
- As expected there is an error message Invalid username:
- Using this information (F=Invalid username) let's find a username without caring for the password (-p wedontcare):
- We found a user elliot that can be used to try a login, :
- The error message confirms that elliot is correct as a username:
- Launching again Hydra, now passing the user elliot (-l elliot), we discover a password ER28-0652:
- Using elliot:ER28-0652 the login is successful:
3.4 - Reverse shell with Metasploit
- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:
- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:
- Searching for wp_admin_shell_upload:
- Using this exploit and setting options:
- Runnig the exploit it fails, giving this error message: "The target does not appear to be using WordPress":
- Locating the exploit into Kali's file system:
- Opening it and uncommenting the line that contains the previous error message:
- Reloading the module:
- Once modified and reloaded, the exploit is successful:
- Getting a shell from the meterpreter session we find that a limited user is running:
- Checking the IP:
- Importing a new shell:
3.5 - Finding the second key
- Opening /home:
- At the robot user's home folder there is the 2nd key, but we cannot open it at this moment:
- However we have access to this password hashed with MD5:
- Decrypting:
- Trying to run the user robot with the previous password, it works:
- Now the 2nd key is available:
4 - PRIVILEGE ESCALATION
- Going to the root account we receive a Permission denied message:
- Going to the root account we receive a Permission denied message:
- Let's find out files being run with root privileges:
- For instance Nmap version 3.81
- There is a vulnerability associated to Nmap being run with special privileges like SUID root:
- Due to the presence of the SUID, using Nmap interactive mode we are able to run commands with root privileges:
- For instance a new root shell:
5 - CAPTURING THE FLAG
- Going to the root folder we find the final 3rd key:
- Going to the root folder we find the final 3rd key:
