Vulnhub.com - Mr.Robot 1


This VM is a great way to celebrate the upcoming of a season 2 of Mr. Robot. As it's designed for beginners-intermediate it will be fun challenge and opportunity to learn something new. Our task is to find three different keys located somewhere in the machine.

Let's get started!

How to join the #fsociety?

Firstly, let's find out what IP address is assigned to this VM using nmap, in addition we can scan for the OS version of this machine, and are there any open ports.

nmap -Pn -A 10.0.2.0/24

-Pn – will scan hosts even if they ignore us

-A – will determine operating system of the host

mr-robot-nmap

From what we can see, IP of the machine is 10.0.2.4 and has two open ports: port 80 (http) and port 443 (https). What that means, is that it's hosting web site, using Apache web server. Let's check what it is!

After typing the IP address to the web browser, we can see well known interactive commercial for the new season.

mr-robot-view

Always remember to check the robots.txt file as it may be hiding some useful information, which may come handy for us.

In this one we've got a rule dissalowing web crawlers from indexing 2 files: key-1-of-3.txt and fsocity.dic.

mr-robot-robotstxt

We can get these files by using wget commands (very useful one!).

wget 10.0.2.4/key-1-of-3.txt
wget 10.0.2.4/fsocity.dic

Yeah! We've got the first key, two more to go!

Second file is a dictionary, and I assume we will have to use it in the future brute force attack.

mr-robot-filesfromrobots

Now let's use nmap script - http-enum which may reveal some more useful information.

mr-robot-httpenum

Script showed us a lot more that we've asked for. It's based on WordPress, and we may use this information to preform many attacks. Now let's focus on the readme file and the wp-login.php site.

Readme won't help us :(

mr-robot-readme

But will login page help us?

Most common login and passwords pairs like admin:admin haven't worked but remeber that we have the dictionary, to perform an attack. Now, we have to find the username.

And actually, elliot is correct username! I tried it, by simply typing the names of the characters in this show :)

mr-robot-elliot

Our next task is to brute force this page, using provided dictionary and the wpscan tool.

wpscan -u 10.0.2.4 --wordlist ~/fsocity.dic --username elliot

And after roughly 5 hours, password is ER28-0652 - one of the last ones in the word list.

mr-robot-werein

But what to do next?

We can try to upload a reverse shell to gain access to the server.

Simplest way would be to edit some .php file in order to get shell. I’ll try with page.php and use the code from:

PenTestMonkey

Then let’s create blank page.

Last essential step would be setting up listener and after that just the visit our blank page.

nc -lvp 3344

And we’re in the server, as elliot user. Now let’s see if there’s anything interesting in the home directory.Most promising folder was ‘robot’ containing 2 files: key-2-of-2.txt and password.raw-md5

Unfortunately we don’t have permission to cat the .txt file but let’s look at the m5 file which gives us: robot:c3fcd3d76192e4007dfb496cca67e13b – probable login and password pair . Cracking it with CrackStation, gives us abcdefghijklmnopqrstuvwxyz. In the next step let's try to login in Mr.Robot vulnerable machine.

mr-robot-robot

After that we're able to view the second key, one more to go!

mr-robot-key2of2

822c73956184f694993bede3eb39f959

One last part - privilage escalation - we have to get to the root account.

We can find any misconfigured executable files that can provide us what we want.

find / -perm -u=s -type f 2>/dev/null

mr-robot-nmapstart

Which gives information that nmap is installed on this server with root privileges. Let’s try to exploit nmap –interactive.

mr-robot-key3of3

And yes, we've got the last key!

It was great challenge to fulfill my knowledge hungry brain :). Thanks for Jason for creating such a great boot2root machine!

Jason

Keep learning and stay safe! ~ W3ndige