Intro
Who does not know the series, Mr Robot. In the series, when Elliot had played CTF with, I thought to myself, I must do sometime also. A year later, so today, because I had a lot around the ears, I come only now to play times CTF 😄
My favorite VM so far, is and remains Metasploitable 2. Well since I wanted to have but times another VM, to play, I searched the Internet and found it. There really is a CTF-VM from Mr Robot. Nice, day saved, and can fiddle. The VM is available for download here. When the VM is running, this is, accessible via the own home network.
Since I've already played through the CTF, I thought I'd do a little walkthrough. I'm trying hard not to let that show. Well for those who haven't played this CTF-VM, I'll just say [!!!!!!!!! ATTENTION SPOILER IN THE FOLLOWING TEXT!!!!!!!!]
Search and Scanning
To find out the IP address of the VM, I used the program Netdiscover. I let this run for a short time. Alternatively you can also hunt Nmap over your own home network.
My VM should have the IP 192.168.1.104, because none of the devices in the network is from the manufacturer PCS Systemtechnik GmbH. For further verification, I run an Nmap scan.
Yep, looks like the VM. Let's see what runs on the Apache, so.
Port 80
Looks quite nice, I like the design, but let's see what's behind it all.
I'll try from here to act like Elliot to make it a little more exciting 😅
Nikto can tell you more, and that's what I'm going to run, and in the meantime, take a look at the developer tools page. There seem to be a few javascript errors there and it can't play audios either. What is Mr.Robot trying to do?
First flag
Nikto shows me interesting info. Seems to run a Worpress behind it. The robots.txt, I'll take a closer look.
Also interesting is that the /wp-admin
has also been moved `/admin``. But what I find quite interesting is the two files system and exec. But first the robots.txt, because that may tell me some more information.
User-agent: *
fsocity.dic
key-1-of-3.txt
Here is probably a dictionary with it. I have already found the first key or flag. Only two remain. Why does Mr.Robot help me? Why does he leave me all this?
Key1 : 073403c8a58a1f80d943455fb30724b9
Initial access
I will download the dictionary. About 800K possible passwords are contained in the dictionary. What I noticed when I skimmed the list is that many things are included twice and three times.
$ head fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
...
Good, that means the list must be reduced to uniques. This command `cat fsocity.dic | unique wordlist.txt`` solves my problems. Schwupp, my list has only about 11000 passwords.
The fact that WordPress is installed there can only mean one thing. There must be users. Whatever Mr.Robot is up to, I will find out. I always do.
The URI `/wp-json/`` was a flop, nothing. Even with the RSS feed not to find. Even if I try to display pages with ascending ID. There is nothing with which one, relatively fast usernames can find. I will probably, a user enumeration on the login page, the admin area, have to make. Since I noticed names when I skimmed the wordlist, I will go through the complete wordlist to see which user accounts exist. For this I have built a small Python script.
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import os, requests
from bs4 import BeautifulSoup
def check(url, user):
html = requests.post(url, {'log': user, 'pwd': 'abcdef'}).content
soup = BeautifulSoup(html, 'html.parser')
if soup.find('div', id='login_error').text.__contains__('username ' + user):
print(user + " ---> exist")
def loadFile():
f = open('wordlist.txt', 'r')
lines = f.readlines()
f.close()
return lines
def run():
n = 0
users = loadFile()
for user in users:
check("http://192.168.1.104/wp-login.php", user.strip())
if n % (len(users) / 10) == 0:
print(str(n) + " / " + str(len(users)))
n += 1
if __name__ == "__main__":
run()
I'll let that run for now, see what comes up in the end. In the meantime I'll prepare my password cracker. Is actually only a small change to the script.
The user I found with my script is actually one and that is Elliot. What do I have to do with the page? Did I set up the page for him in absentia?
Now I have to crack his password. I also made a Python script to do this. The password that came out just before it crashed because there was no error message was ER28-0652
. That is my number at Allsafe, but why? I love to make things myself.
Quickly logged in and checked, jackpot the account is an admin account. That means I can include malicious code. WordPress offers many ways to customize themes and plugins. And just that, is the way to get into the OS from the web application. I have chosen the standard plugin Hello Dolly, as an entry point.
My small PHP shell, I have encoded with Base64 and provided with a username and password, so that only I can use the shell. The plugin is now equipped with the shell. Ok will time to go to the system. Am curious what I will probably find on it.
Password?
My user ID is 1 I am running with the user daemon: uid=1(daemon) gid=1(daemon) groups=1(daemon)
. There is not much I can do. Let's see what users exist on the system. What are you hiding Mr.Robot?
Let's see what's in Mr.Robot's home directory.
I found the 2nd flag and the possible password, from Mr.Robot. The 2nd flag I can only see with the user robot. Let's see what hashkiller tells me I mean billions of passwords, there must be something there. Otherwise John has to find out the password.
And also today the site did not disappoint me.
Now I know his password, but how do I get into the system via SSH?
Upgrade shell access
The PHP shell does not bring much. I can't start SSH, no rights. And I can't do Privilege Escalation over it either. Maybe NetCat will help me. I have to build a ReverseShell. I host the shell with Python HttpServer, on port 8080. I build my shell with Msfvenom.
Now I just need to upload the shell, and set up the appropriate listener with Metasploit.
Ok the shell is on the server, now I just need to tell the PHP shell to start my new shell so I can get on the system better.
Privilege escalation
My new shell is here, now I can look around the system better. I'll have a look at the SSH config. There was no list address stored. I will change this, so that I later come with SSH, on the server. For this I need root rights. Let's see what files there are here that have a SUID set.
Here is Nmap installed with SUID and Interactive Mode. Perfect, I can use that to get a root shell. I knew it, Mr.Robot is up to something with this server. Only what, and what do I have to do with it?
I have now been able to get root rights and start SSH. Now I can look around the system normally, as user robot, and get the 2nd key.
So that was his user password. I am now on the system with his account. I have found my 2nd key. Ok it's time to get the last key before I continue to set up and bring Mr.Robot to the stretch.
Key 2 : 822c73956184f694993bede3eb39f959
My last key is in the root user's directory. So I have found my last key. What is this file firstboot_done? Like the dat file back then.
Key3 : 04787ddef27c3dee1ee161b21670b4e4
Pwned!
I'll have a look at it later. First I have to add a new user to me.
My new user, will allow me to always be root privileged. No matter from where and when I log on to the system.
All right, I have all I need, is now my server. I'll have a look at WordPress, in the config. Maybe it's connected to an external database.
Now you will need a long time to get the server back. I will take the server apart piece by piece...
Ok that was the walktrough 😄
I must say, the VM is great for CTFs. From best I found the gimmicks on the side 😄 . I can recommend the VM to anyone.
What have I been able to get everything?
- All flags
- wp-config.php (Mysql and FTP access data).
- Root rights
- New user with root rights
- Persistently overwritten hello.php (Hello Dolly) which gave me access to the system.
The flags are:
Key1 : 073403c8a58a1f80d943455fb30724b9
Key2 : 822c73956184f694993bede3eb39f959
Key3 : 04787ddef27c3dee1ee161b21670b4e4
Ok, ich hoffe, euch hat das Walkthrough gefallen. Had tried to make it a bit in the style of Elliot 😄