This VM is a great way to celebrate the upcoming of a season 2 of Mr. Robot. As it's designed for beginners-intermediate it will be fun challenge and opportunity to learn something new. Our task is to find three different keys located somewhere in the machine. Let's get started! How to join the #fsociety? Firstly, let's find out what IP address is assigned to this VM using nmap, in addition we can scan for the OS version of this machine, and are there any open ports. nmap -Pn -A 10.0.2.0/24 -Pn – will scan hosts even if they ignore us -A – will determine operating system of the host From what we can see, IP of the machine is 10.0.2.4 and has two open ports: port 80 (http) and port 443 (https). What that means, is that it's hosting web site, using Apache web server. Let's check what it is! After typing the IP address to the web browser, we can see well known interactive commercial for the new season. Always remember to check the robots.txt file as it may be hiding some useful information, which may come handy for us. In this one we've got a rule dissalowing web crawlers from indexing 2 files: key-1-of-3.txt and fsocity.dic. We can get these files by using wget commands (very useful one!). wget 10.0.2.4/key-1-of-3.txt wget 10.0.2.4/fsocity.dic Yeah! We've got the first key, two more to go! Second file is a dictionary, and I assume we will have to use it in the future brute force attack. Now let's use nmap script - http-enum which may reveal some more useful information. Script showed us a lot more that we've asked for. It's based on WordPress, and we may use this information to preform many attacks. Now let's focus on the readme file and the wp-login.php site. Readme won't help us :( But will login page help us? Most common login and passwords pairs like admin:admin haven't worked but remeber that we have the dictionary, to perform an attack. Now, we have to find the username. And actually, elliot is correct username! I tried it, by simply typing the names of the characters in this show :) Our next task is to brute force this page, using provided dictionary and the wpscan tool. wpscan -u 10.0.2.4 --wordlist ~/fsocity.dic --username elliot And after roughly 5 hours, password is ER28-0652 - one of the last ones in the word list. But what to do next? We can try to upload a reverse shell to gain access to the server. Simplest way would be to edit some .php file in order to get shell. I’ll try with page.php and use the code from: PenTestMonkey Then let’s create blank page. Last essential step would be setting up listener and after that just the visit our blank page. nc -lvp 3344 And we’re in the server, as elliot user. Now let’s see if there’s anything interesting in the home directory.Most promising folder was ‘robot’ containing 2 files: key-2-of-2.txt and password.raw-md5 Unfortunately we don’t have permission to cat the .txt file but let’s look at the m5 file which gives us: robot:c3fcd3d76192e4007dfb496cca67e13b – probable login and password pair . Cracking it with CrackStation, gives us abcdefghijklmnopqrstuvwxyz. In the next step let's try to login in Mr.Robot vulnerable machine. After that we're able to view the second key, one more to go! 822c73956184f694993bede3eb39f959 One last part - privilage escalation - we have to get to the root account. We can find any misconfigured executable files that can provide us what we want. find / -perm -u=s -type f 2>/dev/null Which gives information that nmap is installed on this server with root privileges. Let’s try to exploit nmap –interactive. And yes, we've got the last key! It was great challenge to fulfill my knowledge hungry brain :). Thanks for Jason for creating such a great boot2root machine! Jason
Today we're gonna give a try Leviathan wargame which requires some common sense and a little bit of knowledge about Unix commands. Let's get started!
Bandit wargame is ideal for begginers - it let's you get to know the basics of Linux operating system, and is a great start into the beautiful word of CTF's. Let's get started!