Today I will be creating a write-up for the vulnerable VM Mr Robot I available at root-me.org. The goal is to obtain three different keys for each different level of entry. However, the end goal is the same -- get root. I'll be focusing on getting root and not the keys.

Please note that this is only one way to get into this machine and that there are other vectors. Example: you can find elliot's ssh password within the mysql database.

Summary:

I ran 2 different scans on the machine: dirb, nikto and then once I found Wordpress installed I also ran wpscan. In robots.txt there are two files that Mr Robot wants the spiders to miss: a dictionary file and the first key. I sorted the dictionary file removing duplicate entries and used wpscan's wp-login brute forcer option with the username elliot and the sorted fsocity.dic. After getting the wp-admin credentials I was brought to the admin panel. Within the admin panel I was able to edit the 404.php page to include my msfvenom generated php reverse shell. I then opened up a reverse listener for a php payload and visited the 404 page. This triggered the payload and I received my shell under the user 'daemon.' Once connected, I executed a uname -a command to find out what box I was working with. Not stunned at what I saw, I ventured over to the ever read, write, and lovable /tmp directory and uploaded one of my favorite exploits of all time--dirtycow. Dirtycow works a large array of linux kernel versions and should have been huge news at the time of it's release. Anyway, 3.13.55 is effected so it lead me straight to root. See the screenshots below for the play-by-play.

Dirty Cow Exploit

Scans:

dirb http://vulnhost
wpscan vulnhost
nikto -host vulnhost

Nmap

Started a nmap scan but found vulnerable web applications before it finished and I popped root.

Nikto

Dirb

WPScan

robots.txt

fsocity.dic

WPScan Brute Force

WP credentials: elliot:ER28-0652

Reverse Shell

Privilege Escalation