MR-ROBOT
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Mr-Robot.
- According to the description provided by the authors of Mr-Robot there are 3 keys or flags to be found:
- Mr-Robot can be downloaded from here:
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Using netdiscover to find the IP that corresponds to the vulnerable machine Mr-Robot:
- Scanning with Nmap:
- Scanning with nikto we find a lot of information:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzRydzrRVsXLzUdq07CVExQDRNs80srAqQPM9hCD0QrMswSAQuKWiz3w6mJsZO2kvtIrVnRa56iUXPR4XPNx6-W6EpSLykeiS5Cd8Gndn-cJH4a9HyI1ck0UiLk95eh-XgyzBAE7NDDIxT/s1600/screenshot.7.jpg)
- After reading nikto output we learn that a WordPress page is running with a login PHP script, and also some other pages interesting to be studied.
- Connecting to the website:
- Checking the wp-login.php page:
- When trying to connect to the admin page it hangs up:
- Visiting wp-links-opml.php we learn that the website is running the version WordPress/4.3.16, what is outdated:
3 - EXPLOITATION
3.1 - robots.txt
- Also, robots.txt gives us key information to start the exploitation process:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqLykXkLtSoQQVH_ft1wq4EgkSyArd5tjnKnILHn8K3yhQ5NRDOtzA9YyQgaU5mjhL49HwT5aN92YiSqxmUYhpn6kO7LfzQawkWU7P0gvCPU4I3m9XhqTN6DUVqVrjM7U6Oa6Aui7LRy1w/s400/screenshot.12.jpg)
- Opening key-1-of-3.txt we find the 1st key:
3.1 - robots.txt
- Also, robots.txt gives us key information to start the exploitation process:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqLykXkLtSoQQVH_ft1wq4EgkSyArd5tjnKnILHn8K3yhQ5NRDOtzA9YyQgaU5mjhL49HwT5aN92YiSqxmUYhpn6kO7LfzQawkWU7P0gvCPU4I3m9XhqTN6DUVqVrjM7U6Oa6Aui7LRy1w/s400/screenshot.12.jpg)
- Opening key-1-of-3.txt we find the 1st key:
3.2 - Dictionary fsocity.dic
- Opening with cat we find a very long file text composed of a lot of lines what seem part of a dictionary:
......
- Counting the lines there are 858160, so no doubt this is a very complex file to be handled:
- How many of the 858160 lines are unique? Just 11451, so removing the repeated lines would make it easier to deal with the file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE-0iD5wW_RWW7INW8kmU9lkg5sUZlQpTISJ6CJ1QTs0_WxMzvCzTTfqPidxRDnXtWi5oLAPkoaKUlHcxoMqnUzzSOFrBrD_QXGQ9u9dr9uYa4znbms-PSeXsepZ8XxZb_aRYORglPKJW/s1600/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE-0iD5wW_RWW7INW8kmU9lkg5sUZlQpTISJ6CJ1QTs0_WxMzvCzTTfqPidxRDnXtWi5oLAPkoaKUlHcxoMqnUzzSOFrBrD_QXGQ9u9dr9uYa4znbms-PSeXsepZ8XxZb_aRYORglPKJW/s1600/screenshot.21.jpg)
- Let's create a new file ufsocity.dic that contains only the non repeated lines of the original text file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmbBsQwbRdOv9dExLJnlpYV2WnOLeQ7L_9mIVDA3He68A8u2nHqVtobMIi2RSpC3ZbHZKH3sdBGz-KPqPpVBIB8pqQBpVepzwRJxeJlxdJ7NGA4py5gtltOl-2IhqAS2fGbeCxUfuyWIeG/s1600/screenshot.22.jpg)
- Now, the file ufsocity.dic can be used for exploitation purposes as a brute force dictionary or wordlist.
3.3 - Dictionary attack with Hydra
- Hydra and ufsocity.dic help to perform a dictionary attack against the login page.
- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqZ_XNRwZ0LUklObcuL5DKItpb3D-4ZdVm_zGJ3lN_UD7s1fowKH0oBrZD_uE9nsQYKMUq06i6UD_-ntt1i1U6GajsF1o4EcRcA5Wl54G49q-0cz3sNovneUAd7xWdl4WNEDTXuwsz_JaR/s320/screenshot.35.jpg)
- As expected there is an error message Invalid username:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0GuMHkD5chXeokRWDDxY0O1HDIAve2QvLJcONDFlGvClsSvKm_YfwqsU5r86-axSKv-wAjZdrbp_G-iCqVPLeLpjeXKKW28-MQmfyM9aHiuyDKfbKyXOQmzT3QtpiyMfxWXVlJRnIFoNi/s320/screenshot.36.jpg)
- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqZ_XNRwZ0LUklObcuL5DKItpb3D-4ZdVm_zGJ3lN_UD7s1fowKH0oBrZD_uE9nsQYKMUq06i6UD_-ntt1i1U6GajsF1o4EcRcA5Wl54G49q-0cz3sNovneUAd7xWdl4WNEDTXuwsz_JaR/s320/screenshot.35.jpg)
- As expected there is an error message Invalid username:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0GuMHkD5chXeokRWDDxY0O1HDIAve2QvLJcONDFlGvClsSvKm_YfwqsU5r86-axSKv-wAjZdrbp_G-iCqVPLeLpjeXKKW28-MQmfyM9aHiuyDKfbKyXOQmzT3QtpiyMfxWXVlJRnIFoNi/s320/screenshot.36.jpg)
- Using this information (F=Invalid username) let's find a username without caring for the password (-p wedontcare):
- The error message confirms that elliot is correct as a username:
- Launching again Hydra, now passing the user elliot (-l elliot), we discover a password ER28-0652:
3.4 - Reverse shell with Metasploit
- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2K1SKKCCkjCUoe7COOfnv5OCDYoozX6McHRdtCPFbFESJsOGjOlhame2tjTk5NwBp77IfkJMQWY7qKf4xt3k0djsEbIdTte7MTgkXtIKms-t4yvVNZpSqzEMmitQ09Qd79_4iwEM87Dtv/s400/screenshot.43.jpg)
- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2K1SKKCCkjCUoe7COOfnv5OCDYoozX6McHRdtCPFbFESJsOGjOlhame2tjTk5NwBp77IfkJMQWY7qKf4xt3k0djsEbIdTte7MTgkXtIKms-t4yvVNZpSqzEMmitQ09Qd79_4iwEM87Dtv/s400/screenshot.43.jpg)
- Runnig the exploit it fails, giving this error message: "The target does not appear to be using WordPress":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaSiZ_R8BDGa2B9i_kUzgvv22ihKL8uCFxi_u3d4-LMoCwBsYEIM3QKTVzVhi7AjxP0VYGquRDwfY2lmICKXvzHeruBlZZweOmGSRqobPBIX1kMZcn-D0_n6bXT6cAzuwrSXI_YZfEA3WJ/s1600/screenshot.49.jpg)
- Locating the exploit into Kali's file system:
- Once modified and reloaded, the exploit is successful:
- Getting a shell from the meterpreter session we find that a limited user is running:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVweKVXcilinL6xRY5dwhWl5bY68y2pp11T2MegFze2DNf2_mjior9Amh3D6LeNqmQs6DDat_5KOmPqk2FeybFPuk-USnQLxWAvqCwDUbH31v-vHyr0j8OoNPx5UC3AYGgr4Z6QbJwl0Of/s1600/screenshot.56.jpg)
3.5 - Finding the second key
- Opening /home:
- At the robot user's home folder there is the 2nd key, but we cannot open it at this moment:
- Trying to run the user robot with the previous password, it works:
- There is a vulnerability associated to Nmap being run with special privileges like SUID root:
- Due to the presence of the SUID, using Nmap interactive mode we are able to run commands with root privileges: