Mr. Robot Walkthrough

Started the scan of this box with netdiscover -r 192.168.0.0/24. Found the mr. Robot IP: 192.168.0.107

Found a couple ports open

And a “closed” ssh service

More info on port 80

Looks like we’re dealing with a wordpress site with a number of plugins enabled

And similar findings on port 443

I started on the webserver, and after browsing to the site’s root dir I found the following prompt:

I input each of the options, and most showed videos similar to those on Mr. Robot. Nothing of much interest in the root dir

I moved back to scanning the host, and continued with dirbuster, which found some additional pages

I also checked robots.txt, to find our first key!

I downloaded fsociety.dic, maybe we can use this to brute force pw’s or additional dir’s

I decided to check out some of the directories found by dirbuster. /wp-login (HTTP 200) was an obvious first target

I tried a number of things here, but ultimately had to put myself in the Mr. Robot universe. I attempted to login with Elliot and received a new error message which leads me to believe this is a legitimate user account

With this info, I used wpscan to brute force the login with fsociety.dic

The brute force was taking a long time… so I decided to google some info about this scenario, and found the password is basically at the end of the dictionary file… F that…

I moved the pw up to a reasonable place, and ran the test again to show how the outcome should have looked 🙂

With our password in hand, we login to the wordpress site!

Looking for ways to upload a reverse shell, I started by attempted to upload a php reverse shell w/o any bypassing techniques, which failed 🙁

I tried additional upload bypass techniques, but was unsuccessful

I then found a blog about disguising a reverse php shell as a wordpress plugin in the zip format:

http://www.r00tsec.com/2015/08/howto-create-backdoor-in-wordpress.html

It had me preface a shell.php file with the following info:

I then zip’ed the file so wordpress will accept and deploy it as a plugin

I installed the plugin successfully, and while I had a nc listener setup, clicked “Activate.”

And received a connection back as the user daemon

Looking around the box, I found the 2nd key and a password file. I couldn’t cat the key, but could cat the password file

I ran this md5 through an online hash crackers, and it found the following password

abcdefghijklmnopqrstuvwxyz

I spawned a terminal via python and su’d to the robot user with the new found password

Cat’d the 2nd key

Now I need to escalate my privilege, so I want to look at what files I can execute, and are owned by the root user (SUID files). I might not have sudo permission, but these applications do, because their owner is “root.”

I still need to find a vulnerability associated with these programs, but if I do, I can get them to run as root 🙂 I’ll need some version info, and compare them to vulnerabilities found online.

After searching on the internet, I found older versions of nmap which have SUID permissions, have an interactive mode, which I might be able to escape into a root shell.

This version of nmap had the interactive mode! I was able to escape into a shell, and see that my user was apart of the group root.

With root permissions, I cat’d the 3rd key and completed the Vuln VM!