When a bug finally makes itself known, it can be exhilarating, like you just unlocked something. A grand opportunity waiting to be taken advantage of. Robot, If you never heard of VulnHubthen let me briefly explain what they do.
Before we begin, if you would like to try out the Mr. Robot VMor follow along and learn as I go, then you can download it here! This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The level is considered beginner-intermediate. That includes Footprinting and Fingerprinting hosts, servers, etc. Since the Mr. To do so, type in netdiscover in your terminal. The IP of From our initial scans we can see that Ports 22, 80, and are open. Yes - I came here for a reason, to hack you!
Anyways, that website is actually pretty freakin cool! We can see that we are able to run 6 commands in the interface, each does its own little thing. We got 2 locations we can navigate to fsocity. Of course… I want the key! We got the fist key! Sorry, got carried away again.
Elliot Hacks at the CTF Tournament
We can now go ahead and try the next two locations that we got from our scan - index. After trying the. This should provide us with the WordPress Version. Alright, we now know that the WordPress site is Version 4. When we arrive at the page, we can see that Mr.
Robot is calling us a script kitty… okayyy. We got the password to… um… something. It seems that the password is base64 encoded. We can actually decode it in our terminal! Ok, we got a username and a password. I wonder where we can use this. Once we are logged in as Elliot, we also see that we are the WordPress Site admin. From the looks of it, I see we have access to Updates and Plugins.Access the robots. The dictionary file has many duplicates and needs to be optimized and sorted for maximum efficiency.
Minimizing the cracking time and reducing the size of the dictionary file. Use wpscan and find the login page, we need the username and password, but luckily we have the dictionary file. We need to intercept the requests being send and modify them to get the username. We can stop the intercept, use the proxy and then turn on intercept and enter credentials and hit log in. We can then intercept the post request and identify the fields we need to brute force.
We can now log in and I am the admin so I can install plug ins like a file manager, I now need to maintain access and escalate my privilegesI can do this by using weevely for a backdoor and a reverse shell, or we can be smart and use metasploit which will do all the hard work for us and we can use meterpreter for a reverse connection.
It is an md5 hashed password that we can crack with hashcat or because I am lazy crackstation. Ok we now need to get root access also known as privilege escalation The only way in is by finding a file that has the super user ID bits SUID. We now need to use an online cracking tool, we can use hydra as it is the most powerful.
We are going to use the log and pwd fields. The objective is to find the username first, we can then bruteforce the password after. We are looking for the http post form, that shows us that a username exists We can now use wpscan to crack the password, because it is faster for wordpress cracking wpscan —url Liked it?
The goal of this machine is to find three keys hidden in three different locations. Each key is progressively hard to discover. Lets dive into it!. You can download the VM from the vulnhub website. Since Command line with few of the commands available. Tried few of the commands but to no use as obvious. Since it is a web server, the very first step i did is to run Nikto Web Scanner to look for some common files like robots.Mr. Robot CTF Hacking Walkthrough - Part 1
As suspected, web server has robots. Besides that, we got some other interesting findings WordPress site,has license. Lets first navigate to robots.
It can be some username password. Lets try these credentials there. We are successfully logged in. I checked Users tab and find out that Elliot has administrative privileges. So the first thing that came to my mind was to upload reverse shell. I got this reverse shell from pentestmonkey. Before using the shell remember to edit the php file for ip address and port. In my case i used I added the code to Hell Yeah! We found the second key but wait!After hearing that someone had created a Mr.
Robot themed CTF, I needed to see this. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The level is considered beginner-intermediate. The results indicated that there was a web server running and that port 22 was open, but with no service running behind it:. As the service discovery only yielded a web server, the next step I took was to start looking into what was being hosted. This was tainted, slightly, in that when importing the appliance into Virtual Box, it indicated that there is a WordPress installation; so I knew ahead of time what to expect… doh!
Robot themed web app which mimics a terminal with various commands available for use.
Mr. Robot CTF Hacking Complete Walkthrough
Looking at the source code of the landing page, there was nothing referencing WordPress anywhere, but I made the assumption it was there somewhere, given that I had seen it in the appliance description.
At this point, it was pretty safe to assume that this would be where my initial access would be gained, given the mass amount of vulnerabilities that exist within the WordPress ecosystem.
The WPScan report brought back a lot of vulnerabilities, most of which were XSS vulnerabilities; which were of no use in this scenario. There was one result in particular which caught my interest, however, which was the outdated version of the All in One Migration plugin. The version of the plugin was one which I was quite familiar with, as I have previously written a Metasploit Module and a WordPress Exploit Framework Module for an unauthenticated database export vulnerability that exists within this version.
As this vulnerability lets you get a full dump of the database, I loaded up WordPress Exploit Framework and executed the module against the VM:.
Unfortunately, attempting to unzip this yielded an error and the file size was 1kb. As the plugin was seemingly failing to produce the export, I dropped this and moved on. As no reliable WordPress vulnerabilities showed up to the party, I fell back to more information gathering and used Nikto nikto -host Next, I decided to take a look at the robots.
In addition to revealing the first key when checking the robots file, a word list was also revealed fsocity. This led me to believe that the password to one of the WordPress accounts is going to be inside this file.
As WPScan failed to enumerate any users, I began to brute force manually some of the names from the show, in an attempt to find a valid username a bit primitive, but it worked! When resetting a password in WordPress, if you enter an invalid username, it is as kind enough to let you know that by spewing out the message:. Land on a valid username, and it will send the password reset e-mail.
Now that I knew the name of one of the accounts, I went back to the word list previously obtained, and ensured there were no duplicates by running cat fsocity. At this point, I spent a lot of time fishing around the htdocs directory, but found nothing.
Conveniently, however, it did have permission to view the password. After finding this, I did a reverse lookup of the hash, to find that the password for the robot account is abcdefghijklmnopqrstuvwxyz yay for weak passwords. Now that I had the credentials for the robot account, I dropped into a TTY shell, and switched to the robot user to access the second key!
I now knew the naming pattern of the key files i.Which is a site that has purposely built Virtual machines for you to hack. Each one varies in difficulty and allows you to hone your skills and even pick up new ones. So I downloaded the virtual machine from vulnhub and then just double clicked the mrRobot. My first step is to find out what ip the VM is on and what goodies it has to offer, So I run Nmap to find all this out for me.
As you can see looks like we have an Apache web server running with ports 80 and open, so lets check them out first. With both http and https we get presented with a cool animation of a linux terminal booting up and Mr Robot logging in.
At the prompt the only commands that work are the 6 listed above. Each one takes you to its own page which contains all sorts of Mr Robot propaganda it looks like its a rip of a Mr Robot promotional website. Took note of each page just in case i needed it later. Then I download fsocity. I cat the new fsocitysorted. Now we have our payload, we need to get this on the site and run it. The best place for this is the page template.
Next open up your payload with any text editor and copy the contents over the top of the template and click update file.
So it looks like we have a username and a md5 hashed password. I could run this through hashcat but I thought as this is a easy hackable VM, I would google the hash first and as I thought the hash comes back quite quickly as abcdefghijklmnopqrstuvwxyz.
We can tell we are in the proper shell as the start of the line tells us what user we are, the name of the server and then what folder we are in. Once we have entered the password for the MD5 hash we are now logged in as Robot. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. This VM has three keys hidden in different locations. Your goal is to find all three.
Each key is Progressively difficult to find. The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Nmap scan report for At this stage I thought it was time to check out the robots.
Channel 0 created. Dumping out the list of processes shows Nmap is set to run as root. Hacking Digital Billboards. Leave a Reply Cancel reply Your email address will not be published.As a grumpy architect, in collaboration with a grumpy analyst, it was decided that we should sharpen and hone our hacking skills by doing some CTF — capture the flag — challenges. Robot 1 is thematically based on the TV series of the same name, which was awesome, so that decided it for us.
Below here I will detail a walkthrough of the solution. Also note: there are probably many ways of achieving this — and probably all of them are better than what I did here. To that end, herein is probably a really dumb way of solving Mr. Robot 1. In it, I have an up-to-date installation of Kali linux. So the front door is locked, then.
Now, within my Kali VM I fired up nmap and gave it the following flags:. Robot themed text and video intro. Maybe I missed it — let me know. My next step was to check for a robots.
Key 1 contains this: c8a58a1f80dfbb9. My next move was to see if there were any vulnerabilities on the webserver with a basic Nikto scan:. Now then, from here I jumped straight into the Wordpress content which had been detected and proceeded from there. Use all of the information that you have. Attempts to exploit these were ultimately fruitless for me though.
Mr Robot:1 CTF Walkthrough
I next spent time looking around the URLs that Nikto had found. Again I fell back to trying obvious things — any things — just to try to pick up the scent again. The trusty old admin:admin username and password combo was predictably fruitless…or was it? Thus spawned a fairly boring period of trying random user names that I thought might be admin-y or related enough, until:.
And remember, passwords we got: fsocity. Armed with my username and dictionary file I set about some brute forcing:. So I tried again using a different tool:. And after a lengthy period of time, the password for elliot is:. Well played, Jason. Some more Googling around getting a shell on a webserver running php leads me to here:. Where the kind folk have done the hard work for me in creating a reverse shell.
Remember good old Nikto? Remember he told us this:. I modified the IP and Port information as directed, saved it and zipped it up. Within the Wordpress Plugins page I uploaded the. Before activating the Plugin, I went to my local shell in Kali and set up a listener:.Start your free trial.
Continuing with our series on interesting Vulnhub machines, in this article we will see a walkthrough of the machine entitled Mr. Kali Linux VM will be my attacking box. Please remember that the techniques used are solely for educational purposes: I am not responsible if the listed techniques are used against any other targets. First, we need to identify the IP of this machine.
Below we can see netdiscover in action. The IP of the victim machine is We will use nmap to enumerate the host. Below are the nmap results of the top ports. Since we can see port 80 is opened, the first thing I always do before running tools such as nikto or gobuster is to look for known pages such as robots.
As we noticed from the robots. We download it, remove the duplicates and create a. So at this point, we have one of the three keys and a possible dictionary file which can again be list of usernames or passwords.
We do not know yetbut we do not know where to test these. So I run back to nikto to see if it can reveal more information for me. We can see this is a WordPress site and has a login page enumerated. Launching wpscan to enumerate usernames gives two usernames, Elliot and mich We confirm the same on the wp-admin page by picking the username Elliot and entering the wrong password. WordPress then reveals that the username Elliot does exist.
Now at this point, we have a username and a dictionary file. I wanted to test for other users as well, but first I wanted to see what level of access Elliot has.
Below we can see that we have got the shell back. Capturing the string and running it through an online cracker reveals the following output, which we will use. Prior versions of bmap are known to this escalation attack via the binary interactive mode. Below we can see we have exploited the same, and now we are root.