Mr-Robot: 1. Vulnhub’s VM Walkthrough

Page

Hi people,
I managed to fork out some time to do the latest few VMs on Vulnhub.

Let’s go!

As written on the description, Mr-Robot: 1 consists of 3 keys as the objective.
We will proceed to discover the content of the 3 keys in this VM challenge.

Starting off my enumeration with nmap… (all 65535 TCP ports)

nmap-results.png

Nice. I like it when the attack vector is straight-forward.

Following up with –script=http-enum on both port 80 and 443.

nmap-httpenum-results.png

Interesting.

The robots.txt entries consists of the first key, as well as a dictionary file.
(word-list = brute-force)

*** FIRST DISCOVERED KEY ***

robots-txt-key1.png

I downloaded the dictionary word-list as well to my machine.

Next, I ran WPScan on it.

(–enumerate u)

wpscan-enumerated-users.png

Okay, time to make use of the dictionary file downloaded. (common sense)

wpscan-mich-pw.png

Mich05654’s credential discovered. I then continued to log in as him on the WordPress site. It appears that he is only a normal user. (unable to edit and backdoor php pages)

logged-in-wp-mich.png

Next, I attempted brute-force on the second user, Elliot.
I gave up after 28 minutes of waiting. (while Youtube-ing)
Something is not right…

elliot-fucking-long-bf.png

It appears that the downloaded word-list is quite huge, and contains duplicate entries… (f*cking troll)

I then created a uniq-fsocity.txt which should only contain unique entries.

something-not-right.png

BOOM. 1 minute 15 seconds, job done.

elliot-bruteforced.png

Next, I log in as Elliot on the WordPress site. Elliot is the administrator of the WordPress site. I am now able to edit whatever I want. (PHP reverse shell~)

logged-in-wp-elliot.png

Time to roll~
I went on to get a copy of php-reverse-shell conveniently located in our /usr/share/webshells/php directory.
Edited the 404.php with our reverse shell, and boom. We’re in.

setting-up-reverse-shell.png

Remember to set up a listener first!

reverse-shell-success.png

Focusing on the objective… (3 keys)
Our second key is located in the user, Robot’s home directory.

key2-location.png

Let’s recursively see what we got in /home

discovered-robot-pw.png

Wtf???

cracking-md5-hash.png

Nice password, Robot.

*** SECOND DISCOVERED KEY ***

su-robot-success-key2.png

One more key to go.
Obviously the final key should be in the /root directory. I am unable to verify though, since I don’t have the privilege access to read the /root directory.

Let’s proceed to escalate our privilege to root!

find-sticky-bit-nmap-jackpot.png

Hah??? The moment I spotted this entry /usr/local/bin/nmap I knew I am golden.
(I escalated my privilege before, using this path in my OSCP lab)

interactive-nmap-privesc.png

Boom. Ez.

*** THIRD DISCOVERED KEY ***

key-3of3-root-gg.png

Heheh. that’s about all folks!

Since the objective for this VM was to discover all the 3 keys, I did not bother to try other way of privilege escalation.

Stay safe~

-9emin1