Anyone who is inspired to partake in a challenging course such as the OSCP or LPT-M knows that practice makes you a better hacker. Vulnhub is a great resource to grab vulnerable VM images and practice your craft. In this post, I am going to walk through the VM “Mr. Robot 1” which was created by Leon Johnson.
So we have web and SSH.. lets start with enumerating the web server.
No typical commands work here, so I choose to run Nikto against the server to see if there are any glaring vulnerabilities.
Alright, so as we are able to see the directory contents, there is a file there, so lets grab it.
So we’ve got a dictionary file for a password attack, but we do not have any usernames as of yet… let us keep looking.
Running nikto reveals WordPress, which is obviously a high-value target any time we find it.
We can jump right in to the WPSCAN and see what we can come up with.
Well, we have tons of vulnerabilities and I am not positive any are going to lead any where, so I’ll start a brute force on the user “root” while I do some more enumeration.
So through our Nikto results, we saw a few more pages to check out. At /readme:
Based on prior WP knowledge, we know that there should be a login page, so lets check it out at /wp-login:
Now we’ve got a login page and a dictionary file, let’s try to login. This time, we will use WPScan again, and we will use the file as a user file and a pass file.
and… we are in
So now, we can do a lot more.
Being that the environment I am in does not lend itself to a reverse shell, and I am unable to upload a php file, I’ve got to get a bit more creative.
There is a project called the Worpress Exploit Framework that I have not had a chance to play around with, so this might be a good opportunity.
It turned out to work well and I was able to find a new user, “robot” and a password of “abcdefghijklmnopqrstuvwxyz”. Now we will jump into ssh and see if we can figure the rest of this challenge out.
So we know there is one more key out there, since we have found 1 and 2 of three, so now to try regex to find the file.
So without root access, we aren’t going to find it.. luckily Doc Sewell just reminded me that nmap runs as root during our LPT-M class, and I saw that nmap is present… so lets try to exploit this.
So, that is all there is to this machine. Using the knowledge that we have from the LPT-M and general hacker’s methodology, we were able to easily exploit the box and find all three keys. If you are interested, check out the VM at https://www.vulnhub.com/entry/mr-robot-1,151/ and give it a shot.