Download location: https://download.vulnhub.com/mrrobot/mrRobot.ova
Goal: Find 3 keys hidden in different locations
The VM loaded up without an issue and grabbed an IP from DHCP.
I started off with a quick nmap scan, which showed both port 80 and 443 open.
Browsing to both I was greeted with an interactive page which seems to be a clone of https://www.whoismrrobot.com. Really cool added effects.
I went through each of the prompts to make sure there was no command injection before firing up Burp and browsing around/spidering.
The robots.txt file presented me with a dictionary file (perhaps alluding to some sort of brute-forcing_ as well as a key file containing an MD5 hash).
I saved both files down locally and my initial thoughts were confirmed, a custom dictionary file with over 850K lines.
I also had the first of the 3 keys mentioned in the readme. 1 down, 2 to go!
Some more poking around with Burp and I came across a WordPress login page. Since SSH was not enabled this seemed to be a good candidate for brute forcing.
When the default ‘admin’ username came back as invalid, I was able to guess the user thanks to WordPress’ convenient built-in username enumeration.
Below is the result for ‘admin’ as the username, showing “ERROR: Invalid username”:
Conversely, when I tried ‘elliot’ I was greeted with “ERROR: The password you entered for the username Elliot is incorrect”. Awesome, half way there!
I decided to run WPScan to both search for any WordPress misconfigurations and/or vulnerable plugins as well for its brute forcing function. I kicked off the scan with the username ‘elliot’ and the ‘fsocity.dic’ dictionary as the wordlist. While that ran, I kept poking around the site.
I didn’t find much else, aside from some trolls hanging around. Several references to the show.
A few hours later (3 hours 30 minutes 48 seconds to be exact)… I was presented with a positive result which I am glad I did not wait around for.
In retrospect, had I looked at the dictionary file more closely (doh) I would have noticed it is mostly duplicates (nice troll Jason!). Sorting and removing the duplicates leaves us with a very few entries.
The password was Elliot’s employee ID number from the show. Once logged in I poked around the admin console for a bit and did not turn up anything of note.
A quick win when you have direct access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the PHP reverse shell from Pentest Monkey.
Browsing to http://192.168.110.153/wp-content/themes/twentytwelve/404.php gave me a hit on my listener. And we’re in!
Checking around the file system a bit I could see there was another user named ‘robot’. This user’s home directory held the second key file which I could not read…yet.
I was also presented with the MD5 of the user’s password, which I could read.
I threw the MD5 into John and got a quick result.
Using this password I was able to su to the user ‘robot’ and form here I was able to read the second key file.
2 down! 1 to go.
Digging around the file system as ‘robot’ I could see an FTP client running on local host which could possibly be leveraged as another route. However, I focused my attention on old version of nmap owned by root with the SUID bit set. Using the “--interactive” switch I was able to run commands as root.
Using this method I was able to grab the third key file.
I first attempted to throw myself a reverse shell with netcat however even though I could run commands as root the reverse shell still connected back in the context of the user ‘robot’.
I went for broke and added the user ‘robot’ to the sudoers.
Now that worked!
Now I was root and dug around a bit to see what was going on with the nmap interactive shell.
This was a fun VM and a welcome break from other things. Thanks to the author, Jason, for putting it together and as always thanks to g0tmi1k and the #vulnhub team for hosting and keeping this awesome community going. Looking forward to the next one!
Key locations:
| Key # | Location | MD5 |
|---|---|---|
| 1 | Web root | 073403c8a58a1f80d943455fb30724b9 |
| 2 | Robot’s home directory | 822c73956184f694993bede3eb39f959 |
| 3 | Root’s home directory | 04787ddef27c3dee1ee161b21670b4e4 |