By: Daniel Bennett, Security Analyst at Cerberus Sentinel
Mr. Robot, a 2015 dramatic television series, is old news now, but to an aspiring hacker – or bored fan of reruns – it still holds relevance. When you want to learn to hack ethically, you need some dummy machines you can use for target practice.
Mr. Robot VulnHub Machine
We offensive security folks often practice our skills by hacking on machines that are intentionally created with vulnerabilities. There is a slew of different web properties out there that house these vulnerable machines. One of the websites is called VulnHub (https://www.vulnhub.com). VulnHub has many user-created vulnerable images that anyone can download and throw them into their hypervisor of choice (e.g., VMware, VirtualBox, etc.) and hack away without fear of being arrested. In this Walkthrough, I will go over my process to grab all three flags in the Mr.Robot VulnHub machine.
The first thing we do when we start up the machine is find out what IP address it was assigned. We can do that with nmap or arpscan.
With the scan we can see that the Mr. Robot machine got assigned the IP address 192.168.40.140. Now we can do a full port scan with nmap to see what ports are open.
Let’s tickle those ports to see what services are running.
It looks like the machine is offering only webserver services. From the service scan, we can see that the SSL certificate is associated with example.com, so let’s go ahead and add that hostname to our host’s file. When we see webservers, we scan with webserver vulnerability scanning tools such as nikto or nuclei as shown here:
BAM! There is something interesting. We found a Critical rated vulnerability in a WordPress plugin. Let’s read up about what exactly CVE-2020-35489 entails and whether there is a PoC (proof of concept) available that we can use to exploit this vulnerability.
It seems like a good vulnerability; we just need to find an HTTP form being used on the website, so let’s browse the site and find that contact form to exploit this vulnerability.
Boo! No HTTP forms were identified while browsing the website when using the Contact Forms plugin. How about we go ahead and mark another thing off the website enumeration list: check the robots.txt file. Woohoo! We just found the first key and a dic file that looks like a wordlist of some sort.
From the nuclei scan we ran earlier, we discovered a WordPress installation; however, the website we have been enumerating is a plain static site and not WordPress. Let’s run WPScan, a vulnerability scanner for WordPress installations and see whether it finds anything promising to our goal.
WPScan identified two users: mich05654 and elliot. I wonder if we can brute force the WordPress login using the wordlist that we found earlier.
BINGO! We now have access to both accounts. Let’s check out mich05654’s account.
Nothing of significance here. It appears to be a normal user account. Let’s try elliot’s account.
We’re in! elliot is the admin for the WordPress installation. When we have admin access to WordPress, one of the main things we do is install and activate a reverse shell plugin. I used the simple reverse shell plugin found on the seven layers website (https://sevenlayers.com/index.php/179-wordpress-plugin-reverse-shell).
With the reverse shell connected back to our machine, it’s time to enumerate the file system.
Checking in the /home/ directory, we find the robot user’s directory. There is the second key, but our user daemon doesn’t have permission to read it. There is another file named password.raw-md5, so let’s check it out.
Looks like we have the md5 hash of robot’s password. Running the hash through my preferred online hash cracker, hashes.com, it comes back with the password of abcdefghijklmnopqrstuvwxyz.
Using the cracked credentials, we can “su” as the robot user and read the second key.
Now, let’s get that final key.
Running linpeas to easily enumerate the system, I notice orange highlighted text scroll by showing that nmap has the suid bit set. This could be the ticket to root! Nmap versions 2.02 to 5.21 included an interactive mode that we may be able to use to escalate our privileges.
Checking the version of nmap we see that it is 3.81, so we should be good to go.
Accessing the shell through nmap’s interactive mode we can see we are now in as root!
Now it’s just a simple task of cat’ing the final key and we have completed the Mr.Robot VulnHub machine.
VulnHub for Beginners
If you want to dip your toes into the offensive security world I’d highly suggest checking out VulnHub, TryHackMe, and HackTheBox. If you get stuck, there are plenty of walkthroughs on most of the VulnHub machines, so it’s a great place to start for a beginner.
Cerberus Ethical Hackers
Cerberus Sentinel maintains a deep bench of ethical hackers who support our clients far beyond just a yearly penetration test. Our experts provide reports that are both boardroom ready, to help you demonstrate ROI and justify budget line items, and can help you solve for bigger issues in your program that will help you improve your security posture.
If you have been honing your skills and are interested in joining the Cerberus Sentinel team, check out our current job postings and let us know what interests you. Even if you don’t see the role you want yet, check back often, as we are growing rapidly!