TAKE DOWN Mr-Robot: 1

Yesterday when fasting, I opened the browser to Vulnhub.com and there’s a challenge from Mr Robot (https://www.vulnhub.com/entry/mr-robot-1,151/). The same TV series will be released soon in the month of July 2016.

So here it goes, in a fast manner 🙂

Objective: find three hidden keys

Netdiscover

pic1

Nmap

As nmap says, port 80 and 443 are open. Now let’s take a look to that port.

 pic1

PORT 80/TCP

pic1

I have tried many ways but found nothing exciting, so I try to find another way.

Nikto

pic1

Take a look all files that I found:

  • Robots.txt,
  • radme.html,
  • wp-links-opml.php,
  • license.txt,
  • etc.

but there are two interesting files to my conclusion; robots.txt and license.txt

robots.txt

pic1

We found fsocify.dic and key-1-of-3.txt files location on robots.txt.

Key-1-of-3.txt

pic1

Yeayy!! So easy, we get the first key {073403c8a58a1f80d943455fb30724b9} 🙂

WordPress

pic1

Well, we need to find a user account to login.

Wfuzz

Use fsocity.dic to brute the directories in this site.

pic1

license.txt

Nikto also found this license.txt file, please take a look to “/license” on the site.

pic1

Scrolling down

pic1

Scrolling down till we found base64 code..

pic1.

Great, now we decode this base64 encode.

pic1

We found the credential, let’s use the credential to login into wordpress.

pic1

We have successfully login into WordPress with administrator privilege. Since we got the admin privilege, we can edit the plugin code or theme code. In this case we will edit the hello.php file in Hello Dolly plugin.

pic1

Save and activate this plugin. After that, just access the backdoor at “/wp-content/plugins/hello.php?cmd=”.

pic1

Reverse Shell

We use perl one-liner to get a reverse shel;pic1

pic1

Awesome, we’re in the system. Let’s find the second key.

key-2-of-3.txt

Wohoo.. we found key-2-of-3.txt at “/home/robot/”. But we didn’t have permission to read this key.

pic1

In the “password.raw-md5” file there is a user and md5 hash info. Let’s crack this hash using online cracker.

pic1

So the password is abcdefghijklmnopqrstuvwxyz, no one use this kind of password this days of course (or not eh?). Now, escalate our privilege to become “robot” user.

But first, we convert our shell to interactive shell using Python.

pic1

Key-2-of-3.txt {822c73956184f694993bede3eb39f959} Now, let’s find the final key.

I think the final key must be in the root directory. So I must become root user.

Key-3-of-3.txt

Let’s check what applications installed or services are running. You can check this awesome guide from g0tm1lk.

After did some research, we found nmap program was running as root.

Check this out:

mr

We can use it to elevate our privilege. Now, check what we can do with this nmap.

pic1.png

This version of nmap has –interactive option. Let’s try,

pic1

Look at this interactive help, we can call a shell. Let’s try,

pic1

Awesome! We got root and the last key.

key-3-of-3.txt {04787ddef27c3dee1ee161b21670b4e4}.

Thank you for playing 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Mohamad Ardiansyah