Thursday, 30 June 2016

Mr Robot v1 challenge

Hello all,

First of all I would like to thank you for visiting my blog.

Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Our goal is to find all three. Each key is progressively difficult to find.

Scanning phase
Of course with version and aggressive mode all ports.

OK, we see that our target is not complex, but I can't say that is easy :-)
The 443 and 80 both host probably the same web application

Hmmm, very interesting isn't it? I was trying each of these commands but there gave me only videos and pictures.
I tried open robots.txt file

Very good! Nice shot! Let's open key-1-of-3.txt file

OK, we retrieve one of three keys.
Let's run dirb

This is not full list of dirb's findings. Below is also directories such as wp-content, wp-login, etc.
So we know that the target's CMS is WordPress, but we don't know which version. I found also readme.html file.

Excellent! Now we know which version of WordPress there is. I was looking for some exploit but without success. Let's come back to our robots.txt file. We can see fsocity.dic file except key's file.
I have downloaded it and this file is something like a dictionary. This file is large so I decided to use
cat fsocity.dic | sort | uniq > n_fsocity.dic
Good! We have prepared dictionary. We know that admin panel is located on wp-login path.

OK! But we don't know username and password both. Brute-force may take up too much time. We can enumerate usernames using forgotten password and/or using wpscan.

Great! We know two users, let's try brute-force both via wpscan.
[Brute-forcing....] BINGO!


Amazing! So, now we are able to log in as one of them. I did that and I verified that elliot has higher privileges than mich05654.

Great! Probably elliot is an administrator. I have edited Themes and upload using it revershe shell code and...

Excellent! We have got limited shell! Let's try find something interesting

Wow! Very nice! Let's read key-2-of-3.txt and password.raw-md5

50% of success :) We have to crack the MD5 hash.
[Cracking...] Above MD5 is hashed string 'abcdefghijklmnopqrstuvwxyz'

Excellent! Let's try OS version of our target
We know that exists several exploits for our target, unfortunately all of them does not work :( I conducted deep research and I have found something interesting about nmap and running command using it.

Wonderful, isn't it?

Amazing! Probably it is game over, becuase firstboot_done file is empty. Let's look at /etc/shadow also

We have known now, how powerful may be nmap also localy.