Whois Mr Robot

Posted: June 30th, 2016 ˑ Filled under: Infosec ˑ  No Comments

It has been a while since I have had a crack at any of the boot2root boxes over at vulnhub, so when I saw the following tweet saying there was a Mr Robot inspired VM released I could not hold back!

Selection_118

Like always… let’s see what ports are open.

Selection_089

Port 80 and 443; nice. Let’s use nmap’s http-enum script to search for any low hanging fruit.

Selection_090

Whenever I see a robots.txt file, it’s always the first thing I check. Let’s take a look.

Selection_091

A couple of interesting files there. Let’s grab the dictionary file…

Selection_092

… and also grab the first key.

Selection_093

Good stuff! Key 1 of 3 found! 073403c8a58a1f80d943455fb30724b9

Moving on… let’s fuzz the webserver to look for anything out of the ordinary.

Selection_091

Nice… a WordPress CMS. That’s definitely going to be our foothold, but we should atleast take a look at the website first.

Selection_093

Wow! Very cool! We’re immersed into world of Mr Robot. Let’s play along shall we….

We enter the command ‘prepare’ and enjoy a nice little Mr Robot video.

Selection_094

Next up we try the command ‘inform’ and are greeted with hactivism type propaganda.

Selection_095

Next up… let’s issue the command ‘question’. Once again, more Mr Robot propaganda.

Selection_096

Following the bouncing ball we issue the command ‘wakeup’, and we’re greeted with one of the opening scenes from Season 1…. The top 100% of the top 100%.

Selection_097

And last but not least… we’ll enter the command ‘join’…..

Selection_098

…. but before we do, I setup a packet capture just incase we see anything interesting over the wire.

Selection_099

Unfortunately the email does nothing that I could see, apart from giving us a 404 error.

Selection_100

Having a bit of a dig around I take a look at the javascript driving the page at 192.168.77.50/js/main-acba06a5.js. I find the commands that can be entered and notice that there is one more hidden command… 420.

In keeping with the theme, the command 420 gives us a Bob Marley quote.. nice.

Selection_101

Unfortunately none of the commands seem to get us anywhere, but it was an awesome bit of fun and something different. Kudos Jason.. nice work.

As we found in our earlier enumeration, we are dealing with a WordPress site. Going to the standard wp-admin page, we can try the default WP user of admin.

Selection_119

Wow.. user not found; that wasn’t expected. Ok.. let’s try to use some common sense. Is the user elliot by any chance?

Selection_120

Sweet! The user ‘elliot’ exists, but we don’t have the password. There’s only one thing left to do.. bruteforce the password. For this, we’ll use the standard wpscan tool, and take a punt that the dictionary file we found earlier contains our password.

Selection_102

BAM! We have elliot’s password. Nice troll there Jason… 3rd last password in the list… bastard ;)

Let’s log on as elliot, and as per numerous other WP hacks we’ll simply upload our own PHP code in order to get a reverse shell to the box. For something different, I edited the page.php template file for shits and giggles, and created a blank test page to initiate the shell.

Selection_108

With our listener setup on our attacking host, we’ll visit our test page, which will trigger the reverse shell.

Selection_109

Good. That worked as expected. Let’s take a look at what users exist on the box.

Selection_110

Next step, take a look at robot’s home directory.

Selection_111

As you can see, we cannot read the flag, but we can read the md5 hash. Let’s crack the hash.

Selection_112

Nice password robot. Time to login as robot….

Selection_113

… and grab our second key. W00t! 822c73956184f694993bede3eb39f959

Selection_114

Pottering around the box I search for suid binaries, look for anything out of the ordinary, and try the usual overlayfs exploit for this version of Ubuntu. Nothing… hmmm. Taking a look at the suid binaries again, I recall that old version of nmap suffered from a privesc vulnerability which allowed you to escalate to root via the interactive feature. Let’s have a crack…

Selection_116

BAM!!! We are root!

All that is left now is to grab our final key. TADA!!!! 04787ddef27c3dee1ee161b21670b4e4

Selection_117

THE END

Quick note here… the nmap interactive privesc vulnerability works with our first user of daemon, so there is no need to gain access to the robot account in order to pwn the Mr Robot boot2root.

Thanks for the Mr Robot boot2root challenge Jason… very enjoyable and something a little bit different.

Thank you like always @Vulnhub and @g0tmi1k for hosting such awesome challenges.

Until next time, tight lines and happy hacking.

Tags: , , , ,