Today I will be creating a write-up for the vulnerable VM Mr Robot I available at root-me.org. The goal is to obtain three different keys for each different level of entry. However, the end goal is the same -- get root. I'll be focusing on getting root and not the keys.
Please note that this is only one way to get into this machine and that there are other vectors. Example: you can find elliot's ssh password within the mysql database.
Summary:
I ran 2 different scans on the machine: dirb, nikto and then once I found Wordpress installed I also ran wpscan. In robots.txt there are two files that Mr Robot wants the spiders to miss: a dictionary file and the first key. I sorted the dictionary file removing duplicate entries and used wpscan's wp-login brute forcer option with the username elliot and the sorted fsocity.dic. After getting the wp-admin credentials I was brought to the admin panel. Within the admin panel I was able to edit the 404.php page to include my msfvenom generated php reverse shell. I then opened up a reverse listener for a php payload and visited the 404 page. This triggered the payload and I received my shell under the user 'daemon.' Once connected, I executed a uname -a command to find out what box I was working with. Not stunned at what I saw, I ventured over to the ever read, write, and lovable /tmp directory and uploaded one of my favorite exploits of all time--dirtycow. Dirtycow works a large array of linux kernel versions and should have been huge news at the time of it's release. Anyway, 3.13.55 is effected so it lead me straight to root. See the screenshots below for the play-by-play.
wpscan vulnhost
nikto -host vulnhost
WP credentials: elliot:ER28-0652
Please note that this is only one way to get into this machine and that there are other vectors. Example: you can find elliot's ssh password within the mysql database.
Summary:
I ran 2 different scans on the machine: dirb, nikto and then once I found Wordpress installed I also ran wpscan. In robots.txt there are two files that Mr Robot wants the spiders to miss: a dictionary file and the first key. I sorted the dictionary file removing duplicate entries and used wpscan's wp-login brute forcer option with the username elliot and the sorted fsocity.dic. After getting the wp-admin credentials I was brought to the admin panel. Within the admin panel I was able to edit the 404.php page to include my msfvenom generated php reverse shell. I then opened up a reverse listener for a php payload and visited the 404 page. This triggered the payload and I received my shell under the user 'daemon.' Once connected, I executed a uname -a command to find out what box I was working with. Not stunned at what I saw, I ventured over to the ever read, write, and lovable /tmp directory and uploaded one of my favorite exploits of all time--dirtycow. Dirtycow works a large array of linux kernel versions and should have been huge news at the time of it's release. Anyway, 3.13.55 is effected so it lead me straight to root. See the screenshots below for the play-by-play.
Dirty Cow Exploit
Uploaded the the dirty cow via the meterpreter command: upload /home/pootato/exploits/dc-poke-newuser.c.
Scans:
dirb http://vulnhostwpscan vulnhost
nikto -host vulnhost
Nmap
Started a nmap scan but found vulnerable web applications before it finished and I popped root.Nikto
Dirb
WPScan
robots.txt
fsocity.dic
WPScan Brute Force
WP credentials: elliot:ER28-0652
Reverse Shell
Privilege Escalation
Dirtycow: https://dirtycow.ninja/