Details of the machine from Vulnhub
- Based on the show “Mr. Robot.”
- This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
- The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
Walkthrough
As always, we will start with Nmap to scan for open ports and services. So, with just 2 ports opened we will see what’s on the webserver
The web server and source code didn’t reveal a lot. So, I decided to run gobuster to see for any hidden directories.
We get a ton of results.
In the directory /robots, we saw a key and a file called fsocity.dic. It seems like a word list, this can be very useful to us later on.
We also get the first key.
Also, from the gobuster we also found a directory called wp-login and wp-content. The website is powered by WordPress, we’ll use wpscan to enumerate the site.
We ran wpscan to see if we can find any hidden usernames or plugins which we can exploit. Sadly, couldn’t find anything which would help us.
On the site, it tells us if we have entered the right username or not. Trying the username admin, it tells us we have entered an incorrect username.
We try different usernames and since this machine is an Mr. Robot theme I tried the username, Elliot. We can see that the user is valid, and we just have to crack the password.
Since we had a list of passwords from fsocity.dic. we will use wpscan to crack the password for us.
The syntax I used was — wpscan — url https://192.168.1.164:12380/wp-login/ -U elliot -P fsocity.dic — password-attack wp-login.
It successfully cracks and we found the password which is ER28–0652. Can finally log onto the site now.
The user elliot has administrative access on the wordpres site. On the site, we can create a plugin. We will upload a PHP and make it connect back to us.
We now have a shell!
In the home directory, we see the second key. However, we can’t read it until we get the user robot.
There is also a password file. Using hash-identifier we can see it’s an MD5 hash. Using an online tool, we can crack the password successfully and change users to robot.
Once doing this we also get the second key.
ROOT
Once we got the user robot, it was time for root. Running linenum we saw Nmap is running in SUID files.
Looking at GTFOBins we can see how to exploit this
Source — https://gtfobins.github.io/gtfobins/nmap/
Earlier versions of Nmap had an interactive mode, which allowed the execution of shell commands within the interactive mode.
First, we have to invoke Nmap in the interactive mode by using nmap — interactive
By doing this we can execute shell commands from within Nmap. !sh will give us root access.
Once doing this we managed to get root and was able to read the third and final key!
