Mr Robot
First Vulnhub box coming up in the books!
Kicking it off with Mr. Robot. Being super new to a lot of the "open" systems that are vulnerable, I had a tough time learning how to segment my network in a way that would allow my attacking box to be on my hosts network, while also being able to attack the exploitable box which is operating in its own segemented network.
We will find out more about that short process in another post.
So how do we get in? My friends told me, you have to "break" your way in. Time to "know your enemy" or in this case, "exploit". I kick off the below nmap scan:
I used the above range as I know that's the IP address range within which I set my vulnerable box to sit in.
I get an IP of 10.10.0.130, with the following ports showing as open:
With this, we can tell that there should be a website open and running. Since both 80 and 443 are operable, let's check it out. I looked over 10.10.0.130/robots.txt after having visited the initial site we see a nice little screen with references to the show.
Having had previous experience with web apps and application security, I know one of the first places you should look, or at least look for, is robots.txt. Should I be damned, there is a robots.txt present which provides the following:
When you view the site for key-1-of-3.txt we get the following flag: 073403c8a58a1f80d943455fb30724b9
Now on to flag 2:
I ended up breaking out of the front page by going to site/question which came up with a wordpress hosted site. I see there's a login available at http://10.10.0.130/wp-login.php
Now to try and get us a login!
Let's pull down our dictionary list if we haven't already, then my friends mentioned to run the following:
The reason we did this was due to the initial .dic file has 850,000+ lines of "passwords". The above line(s) will go through and sort the lines alphabetically, we then take this list and pull out any duplicate lines, then output it into a new file so we leave our initial list untouched.
Now, onto exploitation! We know this is a WordPress site, let's check out WPScan.
We see the version of WordPress listed as: WordPress version 4.3.1 identified (Insecure, released on 2015-09-15)
However, my friends mentioned the following command set:
This would perform a brute-force attack against the site using the newDic password list we obtained when we found flag 2.
We get the following information for elliot
We go through and get our meterpreter session
The reason I am using exploit 80 - unix/webapp/wp_admin_shell_upload is we're aiming to get a reverse shell into the server hosts system.
Next we have to setup a few of our options, in this case it seems decently wise to run:
I setup my options similar to the following:
What ends up happening if we set our options as we have above, is we then get a check saying Exploit aborted due to failure: not-found: The target does not appear to be using Wordpress
When we run show advanced
it gives us an option for wpcheck. Let's go ahead and set this as well.
Now we can run our exploit.
Give it a short moment and we should then get the response that our Meterpreter sessions 1 is open.
It seems that we don't have a fully interactive shell yet for our session. Using the following resource from ropnop.com we ran the following lines.
Where do we go from here? Let's check out some of the users in /etc/passwd/ see who all has a login shell at their disposal.
Looking through the list we see a few potential targets:
I ran ls /home/
to see who all has an available and existing user directory and the only result turns out to be none other than the user robot.
Let's see what kind of useful information they have for our disposal.
We can see the flag file exists, but we don't have access due to us not actually having read permissions. However, we are able to see the contents for the password.raw-md5 file.
Let's open up another tab in our terminal on our attacking system and run hashcat:
Inversely we could also use crackstation. After a couple of moments the process completes and gives us the password for the user robot
.
Type in the password, and let's open up the flag file to get flag number 2.
flag2 - 822c73956184f694993bede3eb39f959
Flag 3 - Final one
To be honest, I had no idea where / how to work on getting some privilege escalation done in order to get us to root. One of my teammates suggested nmap.
We went through it and were able to get an interactive privileged session we could escape which allowed us to have a root owned shell.
Long story short, there's a SUID permission which we can use the following search to find:
You can find more information on SUID permissions on the below site: https://pentestlab.blog/
An example they used was nmap. Easy enough to say, that's what we will be using here as well.
Now where could that last flag be? 🤔 No place like home!
flag3 - 04787ddef27c3dee1ee161b21670b4e4
Last updated