The classic Mr. Robot challenge where we have to find 3 hidden keys on the machine.

Preparation: add the IP of the machine to /etc/hosts to be able to use the domain name: robot.thm

Nmap

Initial scan shows that ports 22, 80, and 443 are open, so I guess we’re dealing with a web server hack

A version scan on the HTTP ports just shows that we’re dealing with an Apache server:

Port 80 Web Enumeration:

A simple curl request returns a comment ‘YOU ARE NOT ALONE’

Main page has a mock command line with a few listed prompts to try:

1. prepare -> Intro video
2. fsociety -> “Are you ready to joing fsociety?”
3. inform -> Mr. Robot’s comments on corruption and immorality news
   • “Counterfeit heroes” - card usage (“infection”) - star (“frauds”)
   • Comments on American patriot, executive, capitalist, and businessman
4. wakeup -> Video of people arguing?
5. join -> Enter your email address and “I’ll be in touch”

Directory Busting with Gobuster

Gobuster scan returned quite a few interesting directories, and we now can assume that this is a Wordpress site and it uses MySQL and PHP

/robots Returns two files that are held on the server, the latter being the first key:

feed Contains a file that has some configuration info

wp-login This looks like the default Wordpress login screen

license Displays the message “Since when did you become a script kiddy?” Haha. Well, that’s not going to throw me off…..and look, we have base64 data:

Decoding the Base64 data, it looks like we have some credentials:

Exploitation

And we successfully log into /wp-login with those credentials….it also looks like Elliot is the admin.

Main page reveals WP version 4.3.1 and Theme TwentyFifteen

• After research, discovered that this WP version is vulnerable to an XSS attack because it fails to properly sanitize user-supplied input.

CVE-2016-1564: “XSS vulnerabilities in wp-includes/class-wp-theme.php…inject arbitrary web script or HTML via a stylesheet name or template name to wp-admin/customize.php

So, we can likely inject a reverse shell PHP file to one of the templates or stylesheets on admin page. I chose to do it in the 404.php page:

Started a Netcat listener on my machine and then accessed where the 404.php would be shown.

The page was empty, but it sparked a connection from the target to my listener, and now we have a shell on their server:

Lateral Movement

The /etc/passwd file returned three non-root users on the machine: mysql varnish robot

Did a search for the key file on the machine and got a permission denied

But a quick look into his home directory and we find that his credentials are listed in a not-so-secure file, with the password being an MD5 hash:

A simple Hashcat crack returns none other than the alphabet as his password:

So, now we just have to switch to the robot user and get the next key…..but first, we have to spawn an actual terminal, so I did that beforehand:

Privilege Escalation

I’m definitely assuming the final key will be in the root directory or at least accessible only by root, so it looks like we’ll have to ‘root’ the machine

Did some usual checks, such as any cronjobs or commands we can run as sudo, but nothing.

Finally, I looked for binaries that have SUID privileges and an interesting one turned up: Nmap

A quick look on GTFObins and we see that getting an interactive system shell is as simple as this:

And with that, we can get our final key:

Mission accomplished!