OK, so I was initially inspired to do this as my first challenge VM due to my love for the show MR.Robot. If you’re doing challenge Vms, and not watching Mr.Robot you’re missing out on the shows’ amazing accuracy of computer hacking.
Anyways! This is my first challenge VM since finishing Georgia Weidman’s Intro to Pentest and Sololearn’s PHP Course.
About The Challenge
Name: Mr-Robot: 1
- Date release: 28 Jun 2016
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
So I fire up my Kali VM, and the Mr-Robot:1 VM. I start by figuring out the IP address of the machine. (Easiest way IMO is to run an arp-scan before your challenge VM is turned on, the re-run it after boot).
We now know our Mr.Robot VM is 192.168.85.128. If you’re uncertain, or are doing this on your home network (as I never suggest unless it’s segregated. While we like to assume all is well, you’re loading a unknown machine in to your network). You can also run the arp-scan and in vmware and virtualbox under networking you can view the MAC of the machine. Find that mac under the VM settings, and compare to the MAC results of your arp-scan.
Now that we’ve located our target let’s see what nmap can tell us about services and ports on the computer. Since we don’t need to be stealthy I decided to run a T5 on all ports.
“ nmap -sV 192.168.85.128 -p- -T5 -oA nmap “
So it initially seems we only have a few things here. We have a closed SSH, an open 80 (HTTP) running Apache, and also a 443 (ssl/http) running Apache as well.
I re-run nmap with an -A to tell us more about the ports before we manually inspect in our web browser.
A service scan of port 80 & 443 doesn’t return too much detailed info. So let’s take a look at the website.
*** NOOB! It was at this point I realized I fired up the wrong Kali (in Vmware opposed to my vbox one). So I had to move the setup to virtualbox. It’s a mess of weird compatibility issues I’ve had between the 2 and Kali. GOING FORWARD THE IP FOR MrRobot will now be 192.168.85.4.
When we visit the page a pretty cool intro plays acting as a user root is logging in and we’re greated with a message talking about how depressing our life is , super! We’re then left at a command prompt and a few options:
I open up and view the page source, really not much to it. So I try typing a command run “prepare” which displays a video asking us to join fsociety. I view page source, and we have more details this time! And at initial glance I notice that the site is a WP (WordPress) site. Which we’ll revisit in a few after try other commands.
I ran through the rest of the commands some displaying images, some displaying videos. I did save all of the images along the way, you never know what’s hidden in those 😉 If you run the join command it does prompt for an e-mail, I fired up Burpsuite to intercept and see what comes of it, but it appears to be a simple process. For now I skip this as I don’t feel like handing out my e-mail.
I know it’s wordpress but I fire up nikto and run a scan to see what else we can get. We find out some good to know things: “nikto -h 192.168.85.4”
So I first notice that there’s a /robots.txt file, which is not uncommon, but may hold interesting info. So I navigate to http://192.168.85.4/robots.txt and in there we have the following:
OK, so we have a “fsocity.dic” and a key-1-of-3.txt which is great! We’ve found the first key. I navigate to http://192.168.85.4/robots.txt and we have our first key!
I once again navigate to http://192.168.85.4/fsocity.dic which I can only assume is a txt file for a dictionary attack? Navigating there prompts for a download which I accept. I CAT the file and we’re given a list of words. I can ONLY ASSUME based on this being a challenge this holds the password for a flag. I make note of this and move on.
Nikto flags /admin/ and says it may be interesting. However; checking it out from HTTP and HTTPS both result in the page constantly refreshing and not sure if that’s anything or not? Nikto also flags http://192.168.85.4/?p=23 saying weird link. Running that takes you back to the initial video and welcome page.
Still looking at Nikto I see a /readme.html, which navigating to shows us the WordPress version! This is good to know info.
I scroll down through the page looking at the links. I notice one that talks about the LOGIN PAGE, so I click that and we have a wordpress login area! I keep that tab open and keep looking. At the bottom the of page I see a link to license.txt which we assume would be located locally. Clicking on that returns:
“what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?”
Not really any help, but funny none the less. And if I’m not mistaken a quote from Season 1 of Mr.Robot.
I check out a few other pages and nothing really seems to jump out at me. I also ran nikto against the 443 which appeared to return the same reults.. So at this point I change my focus to getting login access to WordPress. I fire up wpscan (WordPress Scan) and see what we can find.
I run “wpscan –url 192.168.85.4 –enumerate users
Unfortunately this tells us they could not enumerate users , I was hoping on that returning some usernames we could use with the dictionary file we found.
I decide to take a look at the password file, just to make sure it’s not possibly just a list of usernames. It does appear to be passwords, but then I noticed same names from the TV show. I first notice Alderson. I type that in the password reset box for WordPress, says username not found. I try Elliot (show lead) and it returns saying a password reset e-mail has been sent!
I first verify with Burpsuite that I cannot intercept this. Then I decided it’s time to brute force the password and try the fsociety.dic I found.
So I run “wpscan –url http://192.168.85.4 –wordlist ~/challenge_vms/mr_robot/fsociety.dic –username Elliot” .
This proceeds to run for over 4 hours! But in the end we get a password!
We now know the username is Elliot and the password is ER28-0552. I make note and head over to the wordpress login to see what we can get!
I see photos which I download all of them and using exiftool check their data. Everything at this point appears normal so I move on. I scroll down in wordpress to the users section. I notice our login, and another.
I take the username and run a brute force against it, this one almost instanlty finishing provding the passsword for Krista.
I log in as Krista and look around. I see in her Biography section it says “another key?” I read through some of the source code and don’t appear to find anything. Not sure what it’s hinting at
I then realize . . . . . from a previous challenge VM I had attempted and failed miserably I read through and read about Pentest Monkey’s reverse PHP. Any site that supports PHP, and that you can get access to uploading the file, gives you the ability to attempt a reverse shell! So I did struggle here, I was trying to make posts and and different areas to get this to work. Then I rememberd, I need to upload this PHP code, and execute it. . . . . how do I do that? I NEED TO BE ABLE to browse to http://192.168.85.4/SOMETHING.php. So I notice we can change the theme pages. So I see there is a 404.php page to edit. . . . is this a hint? I edit the page and insert the code from Pentest Monkey. I save the theme and open up a terminal.
I start a netcat listener to wait for the reverse shell from the web server. I run
“nc -v -n -l -p 1234”
I then open my browser and go to http://192.168.85.4/404.php and hit enter . .. in seconds I notice my netcat listener connects and I appear to have a shell!
I browse to the home directory to see what we have there. I notice a directory called robot. I browse that and notice the following:
Unfortunately we cannot CAT the key file, and ls of that shows that only the ROBOT use has access for that. A quick whoami, shows we are running as “daemon.”
I CAT the password.raw-md5, which shows us robot with a key. I paste the key in Google, and a bunch of MD5 sites return the following decrypted string.
I know that I need to be able to escalate our privileges and become robot so we can access the key file.
As I’ve said a few times during this write-up, I struggled here. And for no reason. But part of these challenges are to be a learning experience. I knew I had the robot password and just needed to switch users to Robot. However; no matter how many times I tried sudo, or sudo – robot, I would get the same error “No TTY available on the system.” Google searches pretty much all returned how to fix the issue if you are the system admin. So after this I moved on to privilege escalation scripts and process. WHILE I now know I didn’t need to do this, something good still came of it! I found a few helpful sites/scripts. These scripts you can pull to the system using WGET “SCRIPT ADDRESS.” These scripts run a thorough check of the system to see what is running, what you have access to, and anything that seems fishy.
Here is where I found the reference to 2 scripts, and 1 walk through by g0tmilk on manually checking what those scripts appear to do. : http://netsec.ws/?p=309 Even if you’re here for answers, I would tell you to 100% book mark that page.
Moving on, I had to reference another walk through, and found that I quit too early with trying to switch users. I LEARNED as this is the point of these, about how to start a shell once you’ve gotten cmd line access.
“python -c “import pty;pty.spawn(‘/bin/bash’);” “
Running the above line imports bash and starts a new shell. From here I was able to run commands as normal.
Now running as robot, I was able to cat the key file and got our 2nd flag!
Next I assume we need to get in to the ROOT directory. I look at the scripts I’ve ran to find interesting items. One of the things that stands out is that the system has netcat installed. I assume this is how we get root, since netcat appears to have root privileges. I spend sometime on this with no luck.
I also notice the system has nmap installed. This is listed under the SUID section of the Linux enum script. I ran a few nmap commands, with no idea what I needed to do. So I did a Google search for “nmap privilege escalation.” Which led me to someone asking why it works, I know why it works! So I drop in to nmap interactive (nmap –interactive) mode and running the following commands:
And with that we have our final key! This was a great challenge and the first I’ve ever completed!!!! Admittedly I had to do a lot of research, and I read walkthroughs after the fact where no one mentions using netcat. But hey! Leave no stone unturned.