TAKE DOWN Mr-Robot: 1

Marie -

Yesterday, I opened Vulnhub.com and there was challenge from Mr Robot. The same TV series will be released soon in the month of July 2016.

So here it goes, in a fast manner ?

Objective: find three hidden keys

Netdiscover

Nmap

As nmap says, port 80 and 443 are open. Now let’s take a look to that port.

 

PORT 80/TCP

I have tried many ways but found nothing exciting, so I try to find another way.

Nikto

Take a look all files that I found:

  • Robots.txt,
  • radme.html,
  • wp-links-opml.php,
  • license.txt,
  • etc.

but there are two interesting files to my conclusion; robots.txt and license.txt

robots.txt

We found fsocify.dic and key-1-of-3.txt files location on robots.txt.

Key-1-of-3.txt

Yeayy!! So easy, we get the first key {073403c8a58a1f80d943455fb30724b9} ?

WordPress

Well, we need to find a user account to login.

Wfuzz

Use fsocity.dic to brute the directories in this site.

license.txt

Nikto also found this license.txt file, please take a look to “/license” on the site.

Scrolling down

Scrolling down till we found base64 code..

.

Great, now we decode this base64 encode.

We found the credential, let’s use the credential to login into wordpress.

We have successfully login into WordPress with administrator privilege. Since we got the admin privilege, we can edit the plugin code or theme code. In this case we will edit the hello.php file in Hello Dolly plugin.

Save and activate this plugin. After that, just access the backdoor at “/wp-content/plugins/hello.php?cmd=”.

Reverse Shell

We use perl one-liner to get a reverse shel;

Awesome, we’re in the system. Let’s find the second key.

key-2-of-3.txt

Wohoo.. we found key-2-of-3.txt at “/home/robot/”. But we didn’t have permission to read this key.

In the “password.raw-md5” file there is a user and md5 hash info. Let’s crack this hash using online cracker.

So the password is abcdefghijklmnopqrstuvwxyz, no one use this kind of password this days of course (or not eh?). Now, escalate our privilege to become “robot” user.

But first, we convert our shell to interactive shell using Python.

Key-2-of-3.txt {822c73956184f694993bede3eb39f959} Now, let’s find the final key.

I think the final key must be in the root directory. So I must become root user.

Key-3-of-3.txt

Let’s check what applications installed or services are running. You can check this awesome guide from g0tm1lk.

After did some research, we found nmap program was running as root.

Check this out:

We can use it to elevate our privilege. Now, check what we can do with this nmap.

This version of nmap has –interactive option. Let’s try,

Look at this interactive help, we can call a shell. Let’s try,

Awesome! We got root and the last key.

key-3-of-3.txt {04787ddef27c3dee1ee161b21670b4e4}.

Thank you for playing ?