As always, I'm a Dad with a full time job and other tasks to do during the day. You'll likely notice IP's being different and consoles from different systems. This is because I get interrupted quite often and have to try and get this done here and there when I can.Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
Credit to Leon Johnson for creating this machine. This machine is used here with the explicit permission of the creator <3
From the nmap scan we an see two open ports and a closed ssh port. It looks to be an Apache server on a linux host. Using a web browser we see the below. Playing around with the commands, we see some Mr. Robot stuff. The only thing of interest is it has an option that asks for an email address if you join... RCE?. Nothing else Peaks my interest though.
Using curl however...
We can see there's some points of interests here... the very odd feeling that I'm seeing a message from another me...
First, let's gobuster to see if we're missing anything else. I've snipped out items that are no interest but kept ones of interest.
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
/sitemap (Status: 200) [Size: 0]
/intro (Status: 200) [Size: 516314]
/wp-login (Status: 200) [Size: 2599]
/license (Status: 200) [Size: 309]
/readme (Status: 200) [Size: 64]
/robots (Status: 200) [Size: 41]
/phpmyadmin (Status: 403) [Size: 94]
While that's running I'm going to go check out that log.history file. From the output (snipped), it looks like there's a wordpress blog here. We can see it's version 4.3.1. If all else fails... we could try metasploit for something.
<script type='text/javascript' src='http://10.10.44.134/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
<style type="text/css" id="custom-background-css">
body.custom-background { background-image: url('http://172.16.58.187/wp-content/uploads/2015/11/maxresdefault-1.jpg'); background-repeat: no-repeat; background-position: top center; background-attachment: scroll; }
</style>
So together with the file and the gobuster we have a wordpress site in the background and we have some login areas to check out. Still digging through the gobuster list I find the robots file:
User-agent: *
fsocity.dic
key-1-of-3.txtOf course I download the key first:
073403c8a58a1f80d943455fb30724b9
I also download the fsocity.dic file... this looks t be a dictionary file... maybe a password list? Let's pop open burpsuite and see if we can leverage this file with the wp-login page we found with goboster. We know WP uses 'admin' as the default username.
We'll capture a login attempt and send this to intruder.
We're going to be using a sniper attack, clear our variables and set our own around the username field.
Under the payloads tab, we're going to load that dic file to process It's a REALLY big file so it's gonna take a while to load. We run the attack and wait.
Almost right away we can see a good username, if we sort it by length. Notice the name with the length of 4156 below.
We can probably stop it - BS is kinda slow so it might take a bit to get through all 858000 lines of that document... let's change up our payload location to now cover for the password, making sure we have the username changed to Elliot.
Now.... I went to get something to eat, have a coffee and watch a few episodes of Rick and Morty. BS is super slow... might be a better idea to use something like Hydra if you want it done fast... which is exactly what I did after waiting an hour for this thing to get through that many lines. We'll use this as a how to: https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/
As a note here, if you're following along as you do this - skip the hydra test - I ended up finding a better way in but I'm going to keep this here for a bit of knowledge for me to look back on if I ever need it.I'm not going to go back and re-do the username for this but we will pop a fake password in there to see what sort of error comes back.
We see a POST with some error about the password being wrong - perfect. We also know the data it's sending from Burp, but we can grab it from the headers on the page by visiting the network tab. We'll be using this:
log=Elliot&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.183.255%2Fwp-admin%2F&testcookie=1We'll need to modify this to put a variable in the place where the username and password is so we'll modify that data to be this:
log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.183.255%2Fwp-admin%2F&testcookie=1We'll grab the error message while we're at it. We'll be using this:
The password you entered for the username Now using the site's example, we'll piece it all together like this:
sudo hydra -l Elliot -P fsocity.dic 10.10.183.255 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 64-l is our username, -P is the dictionary file we found, the IP of the site, that we're sending a post request to a specified .php file. The data we're sending (using variables for userame and password) and then watch out for this error. The last part -t is the threads we're using. This is a HUGE file so we'll need it.
in fact, we might have to run this a few times since the machine will likely time out. What I would do is let it run and keep track of how many lines it's been through in the file. For example, here you can see it's been through 46383 lines...
obviously I don't want to start again and re-do those lies so we'll modify the file for the next run with the below command.
sed -i '1,46383d' fsocity.dicthis will delete lines 1-46383 of the fsocity.dic file. While I continue to wait for this thing (yes I"m on day three of my usual 2 hour window to play with this stuff). I went through some of the walkthroughs, thinking there must be something I'm missing on the size of this file... turns out I missed a whole different clue!
OK this is how I actually got in. It's less sexy but it just goes to show, pay better attention when looking around. Maybe do a view source or somethingIf you visit the license site and scroll down there's a code at the bottom. Turns out that code is a base64 version of the username and password. DOH!!!
Since we're now logged into the wordpress admin area, let's get a reverse shell uploaded. We'll use the pentest monkey php reverse shell: https://github.com/pentestmonkey/php-reverse-shell don't forget to change the IP to your attack box IP.
We can't upload a php file directly so we're going to go to themes and edit one of the theme files. We'll pick the header.php file and add our PHP from the file we got to this file.
Now, when we go to any of the pages on this wordpress site, it'll launch. Create a new page and save it. start a netcat listener then go to the page. Bam, reverse shell. If you're having issues, be sure to remove the <php, ?> tags
We can find the next key in the users folder... but we don't have permission. There's another file there with a password though... it's an MD5 hash.
We did a quick hashcat on this. It didn't work with the fsocity.dic file but we got a match with rockyou
Unfortunately we can't SU to the other user... we'll have to upgrade our shell. We're going to use this page for help: https://patchthenet.com/blog/linux-privilege-escalation-three-easy-ways-to-get-a-root-shell/
We'll type this to find SUID bits on binaries.
find / -type f -perm -u=s 2>/dev/null
We're going to use https://gtfobins.github.io/ to go through each of these found. The first one is mount but I'm getting this:
no tty present and no askpass program specifiedUsing this page: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ we can get help to upgrade our shell with TTY.
python -c 'import pty; pty.spawn("/bin/bash")'OK. well now that we have a full TTY shell I can SU into the new robot user! We can now get that file
OK. going back to the GTFOBins lookup - let's try that list again and see if we can find something we don't have to use sudo for. Looks like NMAP might be a good try:
nmap --interactive
nmap> !sh
Hot Dog! We're in as root! Now we can get that final key.
