“Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.” – Jason
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.130/24)
Target: Mr-Robot: 1 (10.1.1.137/24)
Vulnerability & Exploit
robot.txt sensitive information disclosure
WordPress username and password bruteforce attack
Exploit Old NMAP --interactive privilege escalation vulnerability to get ROOT
Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Web application scanned to dig more information about web service [nikto]
Scan specific vulnerability for WordPress CMS [wpscan]
Exploit WordPress administrator/editor account to upload webshell [php-reverse-shell]
Enumeration and exploit the local priviledge vulnerability (old NMAP --interactive vulnerability) to get ROOT
All the tools used here can be found in Kali Linux
Using arp-scan as routine to detect the target’s IP address.
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:f1:61:7e VMware, Inc.
10.1.1.137 00:0c:29:61:51:fa VMware, Inc.
10.1.1.254 00:50:56:f3:e7:2a VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 3.021 seconds (84.74 hosts/sec). 4 responded
10.1.1.137 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
root@kali:~# masscan -p1-65535 10.1.1.137/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-08-05 12:37:00 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 80/tcp on 10.1.1.137
Discovered open port 443/tcp on 10.1.1.137
Nmap scan report for 10.1.1.137
Host is up (0.0037s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).443/tcp open ssl/http Apache httpd|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Apache|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
MAC Address: 00:0C:29:61:51:FA (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Uptime guess: 0.000 days (since Fri Aug 5 08:38:08 2016)Network Distance: 1 hop
Only port 80 and 443 is found and Apache is the HTTP server.
In the meanwhile, I run nikto to scan web vulnerabilities in terms of port 80 found by port-scanning stage.
- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.137
+ Target Port: 80
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ GET Retrieved x-powered-by header: PHP/5.5.29
+ GET Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ GET Uncommon header 'tcn' found, with contents: list
+ GET Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for'index' were found: index.html, index.php
+ OSVDB-3092: GET /admin/: This might be interesting...
+ GET Uncommon header 'link' found, with contents: <http://10.1.1.137/?p=23>;rel=shortlink
+ GET /readme.html: This WordPress file reveals the installed version.
+ GET /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: GET /license.txt: License file found may identify site software.
+ GET /admin/index.html: Admin login page/section found.
+ GET Cookie wordpress_test_cookie created without the httponly flag
+ GET /wp-login/: Admin login page/section found.
+ GET /wordpress/: A Wordpress installation was found.
+ GET /wp-admin/wp-login.php: Wordpress login found
+ GET /blog/wp-login.php: Wordpress login found
+ GET /wp-login.php: Wordpress login found
WordPress CMS is found, also /robots.txt and /license.txt are found.
So I run wpscan to scan this WordPress CMS, and in the mean time, I go have a look at the two interesting files.