This VM is a great way to celebrate the upcoming of a season 2 of Mr. Robot. As it's designed for beginners-intermediate it will be fun challenge and opportunity to learn something new. Our task is to find three different keys located somewhere in the machine.
Let's get started!
How to join the #fsociety?
Firstly, let's find out what IP address is assigned to this VM using nmap, in addition we can scan for the OS version of this machine, and are there any open ports.
-Pn – will scan hosts even if they ignore us
-A – will determine operating system of the host
From what we can see, IP of the machine is 10.0.2.4 and has two open ports: port 80 (http) and port 443 (https). What that means, is that it's hosting web site, using Apache web server. Let's check what it is!
After typing the IP address to the web browser, we can see well known interactive commercial for the new season.
Always remember to check the robots.txt file as it may be hiding some useful information, which may come handy for us.
In this one we've got a rule dissalowing web crawlers from indexing 2 files: key-1-of-3.txt and fsocity.dic.
We can get these files by using wget commands (very useful one!).
Yeah! We've got the first key, two more to go!
Second file is a dictionary, and I assume we will have to use it in the future brute force attack.
Now let's use nmap script - http-enum which may reveal some more useful information.
Script showed us a lot more that we've asked for. It's based on WordPress, and we may use this information to preform many attacks. Now let's focus on the readme file and the wp-login.php site.
Readme won't help us :(
But will login page help us?
Most common login and passwords pairs like admin:admin haven't worked but remeber that we have the dictionary, to perform an attack. Now, we have to find the username.
And actually, elliot is correct username! I tried it, by simply typing the names of the characters in this show :)
Our next task is to brute force this page, using provided dictionary and the wpscan tool.
And after roughly 5 hours, password is ER28-0652 - one of the last ones in the word list.
But what to do next?
We can try to upload a reverse shell to gain access to the server.
Simplest way would be to edit some .php file in order to get shell. I’ll try with page.php and use the code from:
Then let’s create blank page.
Last essential step would be setting up listener and after that just the visit our blank page.
And we’re in the server, as elliot user. Now let’s see if there’s anything interesting in the home directory.Most promising folder was ‘robot’ containing 2 files: key-2-of-2.txt and password.raw-md5
Unfortunately we don’t have permission to cat the .txt file but let’s look at the m5 file which gives us: robot:c3fcd3d76192e4007dfb496cca67e13b – probable login and password pair . Cracking it with CrackStation, gives us abcdefghijklmnopqrstuvwxyz. In the next step let's try to login in Mr.Robot vulnerable machine.
After that we're able to view the second key, one more to go!
One last part - privilage escalation - we have to get to the root account.
We can find any misconfigured executable files that can provide us what we want.
Which gives information that nmap is installed on this server with root privileges. Let’s try to exploit nmap –interactive.
And yes, we've got the last key!
It was great challenge to fulfill my knowledge hungry brain :). Thanks for Jason for creating such a great boot2root machine!
Keep learning and stay safe! ~ W3ndige