What is the Mr Robot Hacking Challenge?
Mr Robot Hacking Challenge is a Capture the flag challenge that runs on a Virtual Machine containing a WordPress blog on a running web server. To give it a go, you can download the VM image from this link, load it and run it using specialised softrware such as Oracle's Virtual Box. On successful completion of all challenges you will have gathered 3 keys and have root access on the machine - meaning you own it!
Finding the VM's IP
While there are many other tools that can do this job, and of course you can peek inside Virtual Box itself, there is no particular reason not to use Fuzzer in this particular case. Since my VM is running in Bridged Adapter mode, I know that its address will be on my local network meaning 192.168.0.\*\*\*. Go to Fuzzer and it the address bar write "http://192.168.0." and for the last part use "Counter Transform" from 0 to 255 with step 1. Also, make sure you put Request timeout at 1 second and Concurrency at around 10 in Options for faster results. Fire the Fuzzer and see results coming! In my case, it turned out to be 192.168.0.100 the actual address!
App Spider with Unfold
What I would like to do next is an automated file scan with Unfold to see if there are any interesting files on the site beyond the obvious. Simply run Unfold on the IP of your VM with the default settings and see the results coming! Immediately, you can notice the robots.txt file. Let's further explore that by double-clicking on the filename. It appears that we have found the first key! Hooray! To obtain it, just navigate to `/key-1-of-3.txt`. In addition, you can see there is a word list of some sort we can use later at `/fsocity.dic`.
Bruteforcing the username (1)
Because of the files that Unfold managed to find, you may have rightfully concluded that this is, indeed, a WordPress blog. Also, you should have noticed the /wp-login.php file from the scan - that's where we are heading next! There we have a username and password that we have to crack. What you should first do is put HTTPView in Recording mode and try to log in with some dummy credentials. Then, identify which of the transactions showing in HTTPView is the one you just did and recreate it in Fuzzer by clicking on the Grid icon and then 'Open in Fuzzer'. Before anything else, make a "Fork" of that Fuzzer configuration so that you use it for the password. Next, identify where the username is in the query and for the actual cracking, we are going to use the common Foospidy wordlist `owasp/dirbuster/apache-user-enum-1.0.txt` but with Replace transform to remove the '~' in the beginning of each username.
Bruteforcing the username (2)
Start Fuzzer and see all the responses with equal lengths - this is your base response and everything with different length and/or content - is likely an username. Once everything is finished (or even before that if you are impatient) you can sort all transactions by lenght and inspect the odd ones out. In this case, it will be exactly one and that's our username: elliot. Also, just to confirm that, you can use the Preview tab on your base request and on the odd one - you can see that base writes "ERROR! Invalid username", whereas the other one says "ERROR: The password you entered for the username elliot is incorrect". We are definitely onto something!
Bruteforcing the password
Open the Fuzzer Fork you have created and type elliot as username. Now we should bruteforce for password. Remember that **fsocity.dic** file we have found? That is the wordlist that we are going to use for bruteforcing the password. The only thing is that it has 8.5 million words in it so it will take a while. If you don't have so much time, though, I have prepared for you 1000 words extract from that same dictionary that contain the actual password - the setup is the same regardless. For the pwd field in the request use Dictionary Transform and add either of the files 'Load list from file'. Start the Fuzzer and let it do its job. Once done, again, sort the responses by length and see the odd one out. This time it's a 301 redirect response, which is common practice when successful login occurs. We have found the correct password combination - elliot:ER28-0652 (which, by the way, is Elliot Alderson's employer number in the series). Success!
Shell to the Virtual Machine
Now that you have the credentials, you can log in as WordPress admin and modify the contents of the application so that you have access to the machine. To do so go to Appearence => Editor and modify a PHP file of your liking (that you can easily access). I chose 404.php as you can always type some nonsense URL and it executes. Next, remove everything from it and put: `$output"; ?>`. Now, every time you go to some non-existent page and add a query parameter command, its value will be executed as shell command. So going to `/abc?command=ls` will execute the ls command in the current working directory of the virtual machine. Neat!
Improvised terminal in Rest
Instead of using the shell we have just created straight from the address bar, a smarter way would be to set up this request once in Rest and use it again and again, without worrying about URL encoding and so on. To do so, open Rest, put the full main part of the URL in the address bar and create query parameter command. Its value will be the command that will be executed each time. Mind you, this approach is less than perfect - the 'progress' after each command is not saved meaning if you run `cd ..` and then run another command, the working directory will be the same as before the execution of the `cd ..` command because the child process (the terminal executing the command) every time inherits the parent's process (PHP's running environment) variables and they are all static. In my opinion, though, it is more than enough for the purposes of this exercise.
Have a look around!
Now that you have access to the files on the VM, have a good look around because you might find something interesting. If you are like me impatient, I am going to spoil it for you - the interesting folder is /home/robot. Two interesting files are located there `key-2-of-3.txt` and `password.raw-md5`. Unfortunately, we cannot open the key file straight away because we don't have the needed permissions, but the other one is just as interesting - it contains: `robot:c3fcd3d76192e4007dfb496cca67e13b`. That appears to be some sort of username with what looks like a MD5 hash of the password. A quick Google search with the hash confirms two things: how insecure MD5 is for password hashing and that the password corresponding to this hash is `abcdefghijklmnopqrstuvwxyz` (the alphabet). Let's try to log in with this credentials in the VM... and we are in!
Get the key!
Obtaining the second key now is a piece of cake as we have just the right privileges. `cat /home/robot/key-2-of-3.txt` and we are done! Although this account has higher privileges, it is still no root - there are many restrictions as to what we can and cannot do with this machine so this should be our next goal - gaining root access and completely owning the VM!
The root to success!
Now this is the ingenious bit in the solving of this challenge and if you don't want it spoiled by me, take a pause here! After some trial and error, it appears that nmap has some badly configured permissions and if you run it in interactive mode `nmap --interactive` and then open a shell from there with `!sh`, you are gaining root privileges. You don't believe me? Just type `whoami` and you'll see. From then on, it's child's play. Go to `/root` and get that third and final key. You now completely OWN the machine. Congrats!