So i decided to start writing and document my progress. I am practicing my penetration testing skills and one effective way(at least for me) is playing with boxes at Vulnhub.
I am just a noob in pentesting but I think one of the best and fun way to improve is by sharing what I learn. I have networking as my IT background and I am trying my best to catch up with everybody.
I will be playing with the box mrRobot using Kali Linux, a very popular pentesting distro. There are many distros out there but since i’m a newbie, I’ve only played with Kali. I will be writing this as how I understand things, so for those experts and gurus out there, I apologize in advance!
I will not be discussing here how you can set up your environment. There are a lot of good guides out there, learn to Google and read, read, and read as much as you can. You’ll learn a lot by making mistakes but you can always ask me and i’ll help you in every way I can.
This is my first time to write a blog so please bear with me! 😀
Scanning
I first identify the IP of our target, there are many ways to do this, via Layer 2 or Layer 3. After identifying the IP of the box, I quickly run a port scan using nmap.
nmap [IPAddress] -sV -sC -oA nmap
- -sV scans for version
- -sC runs default scripts
- -oA output in all formats with name nmap
The scan returns port 22, 80 and 443 but port 22 is closed. I tried accessing HTTP and found this site.
If you are a fan of Mr. Robot this would seem cool for you. A virtual shell is even provided and you can interact with it. This page contains materials and scenes from the series itself. I ended up exploring its CLI to find any clues but i wasn’t able to find one.
zap
I tried running ZAP on the box and was able to identify directories. A robots.txt was accessible. If you are intuitive you can try robots.txt without even running a directory scanner. You can use dirb or any directory lister for this. I used spidering from ZAP.
We now have flag1 and a dictionary file which we can use later. By this time, I have a hint that we need to brute force somewhere.
Wordpress
Inspecting the results from the ZAP, I can see a directory of wp-admin. The presence of wp means that this box runs WordPress. I tried accessing common directories and found /wp-admin.
I tried using common credentials. Nothing worked. I then tried using character names from the series and the user elliot worked. What’s good and not good about WordPress is it tells you if your username is correct hence we need to only brute force the password.
I quickly run a word count on the fsocity.dic and notice that 858160 lines are present. I tried reducing the lines using the command
cat fsocity.dic | sort -u > fsocity2.dic
Brute-forcing
After reducing the number of entries, I run WPscan, using the accepted username elliot and using the fsocity2.dic as the wordlist.
We then find a hit for the user elliot. We use this to login to Wordpress as user elliot. Logging in to the Wordpress account allows us to edit the page.
I tested if i can write on the header.php and it was a success. Because of this, we can try running a reverse shell on the system.
I then inject a python reverse shell command from pentest monkey and run my listener. You can copy from any reverse shell command there. Learn how to these things.
After setting up my listener, I head to /header.php and I get a shell. Run your listener first before loading the reverse shell command!
To get a proper shell, a handy command we can use is
python -c ‘import pty;pty.spawn(“/bin/bash”)’
This allows us to have a better shell.
Privilege Escalation
After looking for the flag2, we cannot read it because only root has read permissions.
After doing some reading on ways privilege escalate, one option worked for me. I tried searching for things that I can run by checking their SUID. This allows us to run with elevated privileges to perform specific tasks. We use the find tool here. Read the man page of find to understand the command.
2> redirects stderror to /dev/null which basically discards everything thrown to it. Like a blackhole. It’s a good redirect when finding things when prompted with a lot of errors.
We run nmap and check its version.
After doing some research on it’s version, I can run the interactive mode and I can spawn a shell from there.
I am now root.
I look for the flags and read them ☺
So this is how i rooted the box mrRobot. Thank you for reading and i’m sorry for any error in my explanations! See you in my next writeup! Thanks again!
