Started the scan of this box with netdiscover -r 192.168.0.0/24. Found the mr. Robot IP: 192.168.0.107
Found a couple ports open
And a “closed” ssh service
More info on port 80
Looks like we’re dealing with a wordpress site with a number of plugins enabled
And similar findings on port 443
I started on the webserver, and after browsing to the site’s root dir I found the following prompt:
I input each of the options, and most showed videos similar to those on Mr. Robot. Nothing of much interest in the root dir
I moved back to scanning the host, and continued with dirbuster, which found some additional pages
I also checked robots.txt, to find our first key!
I downloaded fsociety.dic, maybe we can use this to brute force pw’s or additional dir’s
I decided to check out some of the directories found by dirbuster. /wp-login (HTTP 200) was an obvious first target
I tried a number of things here, but ultimately had to put myself in the Mr. Robot universe. I attempted to login with Elliot and received a new error message which leads me to believe this is a legitimate user account
With this info, I used wpscan to brute force the login with fsociety.dic
The brute force was taking a long time… so I decided to google some info about this scenario, and found the password is basically at the end of the dictionary file… F that…
I moved the pw up to a reasonable place, and ran the test again to show how the outcome should have looked 🙂
With our password in hand, we login to the wordpress site!
Looking for ways to upload a reverse shell, I started by attempted to upload a php reverse shell w/o any bypassing techniques, which failed 🙁
I tried additional upload bypass techniques, but was unsuccessful
I then found a blog about disguising a reverse php shell as a wordpress plugin in the zip format:
It had me preface a shell.php file with the following info:
I then zip’ed the file so wordpress will accept and deploy it as a plugin
I installed the plugin successfully, and while I had a nc listener setup, clicked “Activate.”
And received a connection back as the user daemon
Looking around the box, I found the 2nd key and a password file. I couldn’t cat the key, but could cat the password file
I ran this md5 through an online hash crackers, and it found the following password
I spawned a terminal via python and su’d to the robot user with the new found password
Cat’d the 2nd key
Now I need to escalate my privilege, so I want to look at what files I can execute, and are owned by the root user (SUID files). I might not have sudo permission, but these applications do, because their owner is “root.”
I still need to find a vulnerability associated with these programs, but if I do, I can get them to run as root 🙂 I’ll need some version info, and compare them to vulnerabilities found online.
After searching on the internet, I found older versions of nmap which have SUID permissions, have an interactive mode, which I might be able to escape into a root shell.
This version of nmap had the interactive mode! I was able to escape into a shell, and see that my user was apart of the group root.
With root permissions, I cat’d the 3rd key and completed the Vuln VM!