[Solution] Mr-Robot: 1 Vulnhub

mrrobot_promo_twitch-1_2560x1440

Our democracy has been hacked !


Lets start the VM and scan it with nmap . (bridged adapter because I had problems with host only)

nmap -p- 192.168.1.67 -sV

We see that there is an open http port. Lets navigate to the webpage.
Having seen the l33t homepage its time to solve the challenge.

Flag 1

Generating a 404 error we can see that the website run a wordpress installation .
Lets fire up wpscan to find something interesting . But… nothing ! A version without exploits and an installation with no plugins

What about robots.txt ? W00t w00t

robotsflag

We found one of the three flags + a dictionary. Bruteforcing time !!!

Lets enumerate the usernames with the old technique /?author=1 Nothing again .
What about the dictionary ? Also if you see the login page you can see that there is an indication if th username is incorrect + there are no brutefoce tokens ! Only default values.

I created  a python script to help me find the valid usernames. I found the usename Elliot.

brute

Now its time to find the password. We will use the wpscan for this reason . Running we can see that it will take hours to conclude to a result . Maybe the given wordlist hides some tricks inside it  . Lets use python again to erase any duplicate passwds .  From 850000 passwds we now have 12000 COOL! Fire up wpscan for passwd cracking .

 wpscan –url 192.168.1.67 –wordlist /root/Desktop/fsocietyClean.dic –username Elliot –threads 40

Password: E~snipped~2

Log in and yes we are admin so we can manipulate php code . Upload a reverse shell (I prefer metasploit but a simple nc  would 101% do the job)

Flag 2

Now inside the system list the /etc/passwd to see the users. Going to the /home/robot there are two files , an md5 pass nad the flag. Decrypting the flag (google it) we must somehow cat the flag file (permission 400)

Lets switch to /bin/sh shell with python oneliner.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

Executing :

su robot

in order to switch to the robot user instead of daemon.
Now we can cat the flag .

2flag

Flag 3

With robot user we still do not have access to the /root directory . That has to be the place where the third flag is stored .

Lets try to find an exploit .

uname -a

No luck …

Now lets search about misconfigured exetutable files.

find / -type f \( -perm /4000 -a -user root \) -ls -o \( -perm /2000 -a -group root \) -ls 2> /dev/null < root \) -ls -o \( -perm /2000 -a -group root \) -ls 2> /dev/null

finding

There is nmap installed with admin privs and runnable to us. Lets see if we can run os commands with it.

After doing some research there is a command in nmap that turns nmap to interactive mode and from there we can run os commands with ! (many interactive programs do this ex.gdb).

/usr/local/bin/nmap –interactive

So we have access to the /root directory . Listing its contents and then moving the file to /tmp gives us the third flag !

final

I really struggled with the secons flag because there was an error with the shell of the robot user .  I was trying to cat with something like sudo -u robot and I didnt think of just switcing user with su so it took me some time to figure it out …

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s