Tag Archives: mrrobot

OSCP like Vulnhub machines: Mr.Robot:1

Download VM

Mr.Robot:1 is an easy-medium boot2root machine, which was inspired by the popular hacking themed web series Mr.Robot. This machine had puzzles that had to be solved in both the CTF way and realistic way. Overall this machine was pretty straightforward for me (Except the CTF method, which required little bit of guesswork). Due to this, gaining initial foothold in the machine was relatively tougher than escalating privileges. The overall theme was actually pretty good and the website design inspired by Mr.Robot was pretty cool!  😃 As a fan of the show, I really enjoyed that. Kudos to the creator Leon Johnson for creating such an awesome box.

Let’s start the enumeration process with netdiscover.

netdiscover -Lr 192.168.1.0/24

Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.

From that command i’ve found out the IP Address of the target as 192.168.1.6.

we are going to start the enumeration by a Nmap scan.

nmap -sCV -v -oN tcp 192.168.1.6

And the output is as follows.

Nmap scan report for 192.168.1.6
Host is up (0.00025s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after:  2025-09-13T10:45:03
| MD5:   3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
MAC Address: AA:22:CC:44:DD:66 (Oracle VirtualBox virtual NIC)

The machine had ports 80,443 open and port 22 closed. There was no OS signatures leaking, so we currently have no way to enumerate the OS version.

Let’s now check out the websites.

Navigating to port 80 via the browser was a pleasant surprise. I was greeted by mr.robot via an animated pseudo console.

There were some commands, which we could enter into the pseudo console, which showed different things. Things that are connected to the show.

The website running on port 443 was this same website, but that was SSL version of this same website. There was no other way for us to proceed, except for to check the source code and a directory bruteforce.

So, I did exactly that.

I ran gobuster for the http website using the following command.

gobuster dir -u http://192.168.1.6/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |tee gobuster

And the following command for the https version.

gobuster dir -k -u https://192.168.1.6/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |tee gobuster-ssl

Since the machine have a self signed certificate, there will be connection errors in gobuster. So, we have to specify the -k flag to ignore those errors and continue the brute forcing.

Let’s allow the brute force attack to continue in the background and use this time to inspect the source code of the web site.

Nothing except an ASCII art.

By this time, the gobuster brute forcing found to be fruitful as it found some interesting directories.

The website was running wordpress. Also, there was a robots file/directory.
Navigating to /wp-admin has showed me the login page.

So, it is confirmed that the machine runs wordpress. I have tried the admin/admin credentials, but it was wrong. Let’s take a look at the /robots directory we found using gobuster.

Contents of /robots

There were two file names. One is a dictionary file and the other one was a key/flag file. I downloaded both files into my machine.

Now, let’s take a moment to analyze what information we have as of now. We have a wordpress admin login page, we have a dictionary file with possible passwords. The dictionary had 85k-ish strings.

As we don’t have any other leads, brute forcing the credentials is our only option. So, I used wpscan to bruteforce the credentials using the following command. 

wpscan --disable-tls-checks --url https://192.168.1.6 -U users.txt -P fsociety.dic

I created a text file with the character names from the show Mr.Robot as there was no user names found from the wordpress site. Contents of users.txt is given below.

elliot
alderson
elliotalderson
mr.robot
robot
darlene
angela
tyrell
wellick

And the password was found!

The password was ER28-0652; which was Elliot’s employee ID in the show!

And we’re in!
Image result for hackerman gif elliot

The next step is to get a reverse shell, by modifying any PHP page. Here I am using the php-reverse-shell.php file from the laudanum package. I modified the IP and port address in the php-reverse-shell.php file and copied it’s contents.

Now, I need to find a suitable php page to paste this code. I navigated to Appearance > Editor and replaced the 404 Template (404.php) with the php-reverse-shell.php‘s contents, and clicked Update File to save it.

Modifying 404.php with php-reverse-shell

Now, all we have to do is to stat a nc listener and request a non-existent page and we’ll get a reverse shell!

So, I started a nc listener and requested the following non-existent page.

http://192.168.1.6/wp-admin/12

And I got a shell back!

Woot!

We were logged in as user daemon. I navigated to /home folder and found out user robot‘s directory. It contained the second key/flag file and a password hash.

I used md5hashing.net and cracked the password as abcdefghijklmnopqrstuvwxyz.

Now, we can switch user to robot. But, to do so, we have to upgrade our dumb shell to a full TTY shell. Luckily, the machine had python installed. 

python -c 'import pty;pty.spawn("/bin/bash")'

Now that we’ve upgraded our shell, let’s switch user to robot.

su robot
Enter password: abcdefghijklmnopqrstuvwxyz
And we’re in as robot!

I then ran linpeas.sh and found a potential PE vector!

Nmap is an SUID binary

Let’s check GTFOBins to find if Nmap can use for PE.

There appears to be a PE vector for older Nmap versions.

Let’s find the nmap version installed in the target using nmap --version.

This means we can use this Nmap’s interactive mode to escalte privileges!
Woot woot! We’re root!

The /root folder had the third key/flag file.

I also tried to find alternate PE vectors, but couldn’t. Oh well!

Overall this was an interesting machine and I really enjoyed solving it!

“Trust yourself. You’ll do what’s right. -Elliot Alderson” 😄