My write-up for Mr-Robot: 1 at Vulnhub.com is as follows.
About vulnhub.com
Vulnhub is a website that caters to the security community and provides them with training environments. It presents a diverse range of virtual machines and networks that can be downloaded to enhance one's cybersecurity skills in both offensive and defensive aspects.
Disclaimer:
The information, techniques, and tools presented in this document are intended solely for educational purposes. Any utilization of the content within this document is at your own discretion, and I cannot be held accountable for any harm inflicted upon systems or individuals legally. Engaging in the unauthorized use of the tools and techniques outlined in this document to target individuals or organizations is strictly prohibited by law. It is your responsibility to adhere to all relevant local, state, and federal regulations. I disclaim any liability and will not be held responsible for any misuse or harm resulting from the application of the information provided herein.
Description:
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
Hacking Phases:
- Finding IP
- Network Scanning
- Viewing target Website on web browser
- Vuln Analysis
- Found 1st Flag
- Download fsocity.dic file and use a dictionary
- WordPress password cracking
- Login into WordPress
- Upload and execute a backdoor
- Import python one-liner for proper TTY shell
- Found 2nd flag
- Privilege Escalation
- Get Root access and capture the flag.
Reconnaissance:
Finding IP :-
To find the target IP address just enter netdiscover command.
command :sudo netdiscover -r <The PC IP>
Our MR.Robot machine is the PCS Systemtechnik that has been observed.
Network Scanning :-
I conducted an Nmap scan to identify the service, version, and operating system in use. Additionally, I performed a comprehensive port scan to detect any open ports.
command :nmap -sV -A <machines P>
.jpg)
We can see that port 80 is open and let’s open a web browser and try to connect to the target.
Viewing target Website on web browser :-
To examine the website on the target, I enter the target's IP address preceded by "http://" in a web browser. The website appears with an animation related to Mr Robot. The animation ends with a Linux terminal-like screen with a blinking cursor. This screen allows me to enter commands that trigger new animations or image galleries. After each animation or gallery, I am redirected back to the initial interactive screen. I test all the commands, but they all have the same outcome.
.jpg)
Vuln Analysis :-
In my search for hidden directories, I employed the use of gobuster.
command : gobuster dir --url(ip) -w /usr/share/wordlists/dirb/common.txt
.jpg)
Upon analyzing the results, it is clear that the website is utilizing the WordPress platform.
·
From this scan I
identified that there is something hidden in robot.txt, so I checked the web page
.jpg)
Found 1st Flag :-
Enter the below url to find the 1st flag
http://<ip>/key-1-of-3.txt
.jpg)
Download fsocity.dic file and use a dictionary :-
Enter this url and you will start to download a dictionary file to brute force wordpress
http://<ip>/fsociety.dic
Cracking WordPress using Wpscan :-
Also by inspecting the gobuster result we will get
a login page
.jpg)
· Since this machine is based on a TV series I googled Mr-Robot and got some results.
From this we got an user named “Elliot”, so I tried
this character as an user and tried it
in login page.
So Elliot is a user.
Can we use the earlier found wordlist to carry out a brute force attack on the WordPress login?
We have a user name and a wordlist.
First we need to sort the wordlist
command : sort fsocity.dic | uniq -u
command : Wpscan --url<login ip> --usernames elliot --passwords /home/kali/pass
Using the password received from the brute-force exercise, I was able to login to the wp-admin page
After gaining entry to the webpage, a thorough examination of the Users page reveals that the acquired credential does, in fact, belong to the administrator of this WordPress instance.
Now looking into the website we get editor page.
Here I uploaded a php reverse shell script.
Upload and execute a backdoor :-
Once this is done and saved, I open up a terminal and type in nc -lvp 3234 to listen for connection attempt from the target machine.
I open up a browser and simply attempt to open a non-existent URL folder on the target ip. This initiates the session and give limited shell access on the target with user ‘daemon’.
Import python one-liner for proper TTY shell :-
Since this is a shell without a TTY we need to execute some commands which will allow us to spawn aa TTY shell.
command : python3 -c 'import pty;pty.spawn("/bin/bash)'
command : export TERM=xterm
After navigating to the 'robot' directory, I discovered two files. One of them requires permission to access, while the other is in the form of an MD5 hash. By decrypting the hash, we can obtain the password for the 'robot' file.
Found 2nd flag :-
For cracking I used john.
command : john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt
So as I said after cracking the hash we get the password of robot. Now we can switch user to robot
Privilege Escalation :-
But you can see that we are still a user we need to get in to root to get Privileged Escalation
For that we need to locate an executable with suid bit enabled and use it run root-level commands
Root access and capture the flag :-
Now we get the Privileged Escalation.
The machine has nearly completed this task. Kindly explore the third flag.
Happy hackers!!
Comments
Post a Comment