Mr Robot

In this blog:

• Link to the machine.

• Connecting to OpenVPN.

• NMAP.

• DIRB.

• Foxy Proxy / Burp Suite.

• Hydra.

• WPScan.

• PHP reverse shell.

• Hash-Identifier.

• Privilege escalation with set binary.

Try the machine yourself here ➡️

➡️ https://tryhackme.com/room/mrrobot

Connecting to OpenVPN

I'm going to first connect to the open VPN for this box from my Kali Linux machine.

Click the access link and select your closest region for the VPN (for a faster, reliable connection). Once the configuration file has been downloaded, go to the terminal and type ➡️

sudo openvpn path/to/ovpnfile.txt

You should now be connected to the VPN and be able to access the target IP address.

Back in the TryHackMe room, click start attackbox. Once the target IP address becomes available, copy it.

NMAP

I will start by scanning the IP address for any open ports. Type ➡️

sudo nmap -sV -Pn [IP address]

We see that TCP on port 443 is open and is hosting an Apache based website. We can visit this through the browser.

We get this interactive website ➡️

Checking the source page doesn’t seem to show anything. I’ll try robots.txt.

In the search bar, type ➡️

[IP address]/robots.txt 

This is the output when you search. This output will show folders and directories that the creator of the website didn’t want Web crawlers to index.

Maybe if we type IP address/fsociety.dic into the browser we could get something. Doing so downloads a file. We can CAT the file from the terminal.

Since I got nothing of importance from this file, I will instead search IP address/key-1-of-3.txt. This gives me the first flag.

DIRB

Going back to the fsocity.txt file, I used DIRB to find other directories in the website.

Following the readme link I get this page ➡️

But then following the login page, I get to this site ➡️

Could possibly use Burp or hydra to find the password for this.

Foxy Proxy / Burp Suite

I will use hydra to try and brute force the login page. Before I use hydra, I will download the Foxy Proxy browser extension and configure it for Burp suite so that I can capture POST requests.

Once downloaded, I will add a proxy on port 8080. The proxy IP address will be 127.0.0.1 – the local loopback address.

I will type in random credentials after turning intercept on in burp suite.

The developer of this site has unintentionally allowed us to see what the error was when we try to log in.

This is a critical vulnerability that we can take advantage of.

We can paste it at the end of the hydra script so it knows when it comes across this error, that the login has failed.

Checking the Proxy tab in Burp suite shows this output now. Look in particular at the last line.

This is how the username and password are POSTed across the network.

Hydra

I will now use hydra from the terminal to try and brute force the login page.

We get the username Elliot.

We can now replace

-L fsocity.dic -p test

with

-l Elliot -P fsocity.dic

And

: Invalid username

With

:The password you have entered for the username

as this is the new error message, to brute force the password.

Note this will take a long time and I have used -t 30 which runs multiple tasks in parallel per target.

Checking the line count in fsocity.dic, there are a lot of lines – 858160 to be exact. So, this Hydra command will take some time.

My machine timed out so I will start a new session and try it with the new target IP address.

WPScan

I am going to use wpscan which is a brute force tool dedicated to WordPress sites. I will update the database first.

We finally have the username and password combination. This process took a lot of time as it had to sort through 858160 possible passwords.

I found some passwords that were not working and created a new file with the revised password list and used that instead as it sped up the brute forcing attack by quite a bit.

PHP reverse shell

Once we are logged in, we see the WordPress dashboard. Since we have logged in as a privileged user, we can see and edit certain pages on the website as we please.

Clicking on Appearance → Editor shows us a list of the pages on the user’s site that we can modify.

We can use a WordPress reversePHP script to gain access into the website by copying a script and pasting into the code for an existing webpage like the 404 Error page. Once opened, we can gain a reverse shell access.

Go to https://github.com/pentestmonkey/php-reverse-shell and click php-reverse-shell.php for the script.

Click raw to view the raw code and copy it.

Now paste it into the code section for the 404 Error template.

Scroll down to where it says // CHANGE THIS.

Change the IP to your machine IP and change the port to whatever port you want to listen on. I will use netcat in the next screenshot to listen in on port 53 as this is the DNS port and is rarely closed or obstructed on the outgoing firewall – basically a reliable port to listen in on.

Change the details as necessary and click update.

When trying to listen on port 53, I see that its being used by another process. So by typing fuser -n tcp 53, I can see that it is PID 714. By typing ls /proc, I can see all processes and see 714.

Trying again with a reset machine allows me to gain a shell connection with the machine.

Listing the directory allows us to find the robot directory in which we find

key-2-of-3.txt. When CATed out, we don’t have permission to view it.

Typing ls -all shows that the key-2-of-3.txt can only be read and written to by the robot user, and if I type whoami, it says that I am currently working under the daemon user.

Hash-Identifier

Typing cat password.raw-md5 gives us this hash ➡️

Now it says md5 so we know what the hash is but sometimes we wont know what hash is being used so we can use tools such as hash-identifier for linux.

As we can see, we see results for an md5 hash.

Now to decrypt it, I will go to crackstation and see if it can do anything for me.

The decrypted password for the robot user is just the alphabet. The length of the password is actually decent but the complexity is lacking so wouldn’t be a highly recommended as simple dictionary attacks can crack such passwords fairly quickly.

When I try to switch users to root by typing su, it tells me that it must be run from a terminal as the command can’t be run from a terminal that isn’t interactive.

I will run the python pty command to initiate an interactive bash shell after which the su command can be fooled into thinking we are using a native interactive terminal.

Typing cat key-2-of-3.txt gives us the second flag.

Privilege Escalation with set binary

We now need to escalate our privileges to the root user to find the third flag.

Typing the command

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

gives us all the different SUIDs on the system. I will now use GTFObins to see if any of these stand out as an interactive shell provider.

For example, typing ‘su’ for sudo in GTFObins gives us this ➡️

There is only one function and that is to access the file system and escalate privileges, according to the definition.

Nmap is the only SUID which has the binary set for privilege escalation.

I will type the highlighted commands into the terminal to get an interactive reverse shell.

We can go into the root directory and find the third key. If I type cat key-3-of-3.txt, I will be given the third and final key.