Hi there!

I’m preparing for my OSCP lab and exam. I decided to start some VulnHub tasks.
First i noticed there is one, called Mr Robot.
I’m a huge fan of this series, so my choice was obvious.

So after I booted the VM, i started to nmap my entire subnet, because I didn’t know the IP of my the target.
The Nmap phase was before my first coffe, so I failed so hard. Yes. The network adapter settings. They were not so hmm how to say? Well configured 😀
After a few epicfail scans, I set up properly my network, and found the server.

In my network, the IP was: 192.168.0.21
Let’s nmap it without brain!!!!

SSH,HTTP,HTTPS Juicy!!!
Lets open up a browser, and check what we see.

Awesome! We can play with a few commands. Go for it!
It seems totally bullshit, but give it a chance, maybe there is some hint there!

1: “prepare”
A video is playing from  the series.  I don’t think its useful! GO ON!

2: “fsociety”
Similar video… Wrong way

3: “inform”
There are four “slides”. Maybe later will be useful.

4: “question”
four pics again… saved them for later.

During creating the screenshots, I noticed something strange. My browser is looking up for “oimg.nbcuni.com”. I noted that information too. Go on with exploration.

5: “wakeup”
Videotime again! Hmm this is just a black screen. Maybe something bug! Keep in mind.

6: “join”
Input opportunity. Entered email address, nothing happened. Maybe give it a try later to find some bug during the input method.

 

I don’t know the reason, why did I check the robots file, but I did, and I did it well.
So: http://192.168.0.29/robots.txt
The content was the following:

User-agent: *
fsocity.dic
key-1-of-3.txt

THERE U GO!
key-1-of-3.txt.

Lets browse it: http://192.168.0.29/key-1-of-3.txt
And bingo!

It seems to be an md5 hash, but i could not find in any online database.
Hash is noted, maybe I dont really need the plain text variable. Will see later.

Now we finished with this “webapp”. Let’s launch Nmap again and go on with the ports, and sevices.
As previously done, we have SSH, HTTP and HTTPS.

Start with SSH!
I launch some scans, and try some auxiliary modules to find more information
about the service.

I have failed lots of scans on the ssh service, so I decided to go back on the webapp side.
Why did I do that? All of the auxiliary scans were failed. I couldn’t do anything with  the SSH.

So as I went back, and read through my last blog post, I noticed, that there is a file called “fsocity.dic”.
Fuck my life… it took me more than 20 hours to notice this file.

As I opened it, it was a huge dictionary file. But what to do with it?!!?!??!

Let’s try to launch a DIRB to reveal all of the directories.


Right after the first few directories, I actually realized that this webpage is a running a WordPress engine.
Readme file! Bingo! The version is 4.3.11 ! Let’s run  a wpscan on the site!
After running the
wpscan, I tried to enumerate the users, but I did not succeeded. In the result, a well known exploit is revealed: Header Injection during the password reset.


We do not have any username, so try to bruteforce them out! I started BURP proxy, and caught the traffic during a login.

Our Username is “Elliot”!
Next step, try out the fixed username, and brute the pw of the user “Elliot”

Bruteforce started with the wordlist found on the server. Now wait for the result!

So Username: Elliot
      Password: ER28-0652
Authentication successful, I’m logged in!

At first, check out the users!
I found two of them: “Elliot” and “Mich05654″(Krista Gordon – The therapyst of Elliot according to the series)

In the description of Krista, there is a sentence, asking: another key?
No, I could not found any key.
Now don’t waste more time at this layer, dig deeper! LOL @bodort u just came into my mind
So
Try to look around the server. My plan is to deploy an administrative PHP webshell on the website, with the rights of Elliot.

I just discovered an option, during editing a post, where media upload feature is available.
Obviously my first upload attempt was failed, because of the extension of the file. “.php”
Now I need the power of BURP!!!
Proxy turned on, catch the upload session, fake the extension and filetype, and upload the shell!
Let’s rename my “ak47.php” to “ak47.php.jpg”

No success…

I made several another try, but failed at each one.
What to do?
I have spent at least two hours to figure out the next step, but after a little chilltime and google-ing, I found a WP plugin: WP-Backdoor plugin

This seems to be very useful, with several features. At first, I uploaded the plugin(wp-sph.zip). Installed, and enabled.
I tried the c99 webshell service. It works properly. To reach the shell, I just had to navigate to :
http://192.168.0.64/loadshell-c99-jds89f43qmpewqfiopsejaSDJF
The string after c99, is a default key to the plugin.

Browsing on the server I found some interesting files:

The MD5 file contains an MD5 hash! WOW WONDERFUL! 😀

c3fcd3d76192e4007dfb496cca67e13b
And the hash was:

abcdefghijklmnopqrstuvwxyz

Success!

I logged in with user robot, and the password above!
Now finally I had access to the real second FLAG!

I have access to the system, but I have no root permission.
After some time of exploring the system, I find an interesting binary with the SUID bit set, called Nmap

Yep, that’s NMap itself! An old version (3.81) of it, to be exact. Interestingly, the executable is owned by root. Since its SUID bit is set, it means that nmap can theoretically execute commands as root if we manage to have it run them for us.
A look at the output of nmap –help teaches us that nmap has a –interactive option that brings up some kind of REPL.
Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands.  Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.
By launching nmap’s interactive mode, we are root, and can obtain the final flag!

Thanks for reading, I hope you enjoy this writeup. I tried to make not too boring, rather something like a “story”

Respect for Leon Johnson, who is the author of this box.