Mr. Robot
WordPress exploitation and password cracking on a Mr. Robot-themed target.
Last updated
Was this helpful?
WordPress exploitation and password cracking on a Mr. Robot-themed target.
Last updated
Was this helpful?
Room
Mr Robot CTF
OS
Level
Medium
Link
After booting the machine we start with a basic TCP Syn scan over all ports using portcat
(). We find two open ports:
An nmap
scan with version detection and basic vulnerability check gives a more detailed idea of the applications running on these ports.
Apparently we're dealing with an Apache web server on both ports. Visiting the websites they appear to be the same with the only visible difference being that one is hosted via SSL (https - default on port 443).
As there are no other open tcp ports, we will start enumerating the web server on port 80.
From the nmap
scan we already know that we might find a wordpress site, as the http-csrf
script yielded a wp-login.php
.
Before starting manual enumeration, we start gobuster
to search for any interesting directories or files. While this runs, we can have a first look around the website.
Opening the website we are greeted with a minimal interactive terminal in Mr. Robot (a tv-series) style.
The source code doesn't look very interesting at first glance and the available commands lead us to video sequences and pictures that match the Mr. Robot theme. Even though we have some sort of interaction, we can't seem to break out of the pre-scripted behaviour. Having looked around long enough however, we can already see that gobuster
came up with some interesting things.
Going through the found items, the first result (/0/
) already confirms our assumption of a wordpress site.
Sifting through the other items we get either the same view, back to the Mr. Robot themes or a forbidden. The source code never seems to contain any hints, comments or interesting code.
However, robots.txt
contains interesting information for us.
There's also a readme
file, which does not give us anything useful. So from the robots.txt
we can deduce that there might be a fsocity.dic
and key-1-of-3.txt
. And indeed, we can download fsocity.dic
which looks like a wordlist and read the contents of the first key for the TryHackMe challenge:
Before moving on, we can use wpscan
to extract a few more details about the wordpress site such as the version and possibly vulnerable themes.
Knowing the version (WordPress 4.3.1) and installed themes (twentyfifteen - Version: 1.3) we could come back to search wordpress CVEs in case we don't find another way in. Since we already have a wordlist and the accessible wordpress login page though, we will concentrate on that first.
Having no other open ports and no more interesting things to look at on the web site we can try to gain access via the wordpress login. We start by enumerating valid usernames (we get different errors for wrong password + invalid user and wrong password + valid user).
After trying many different possibilities like user
(as in the wordpress site), admin
(default credentials) and mrrobot
(names from the video) we finally get a hit on Elliot
- the name of the main protagonist from the Mr. Robot series - which can also be found in the wordlist that we found earlier.
Valid wordpress username: Elliot
Next, we need to find the password. After finding the username in the provided wordlist, we might be able to use it for the password too.
In order to keep the wordlist as small as possible, we should always check for any abundant lines first:
This way we can reduce the size of the wordlist from 7MB to 95KB! Now on to the brute-force part.
Although brute-forcing tools for wordpress logins exist already (even as metasploit modules), I took it as a challenge to write my own (faster than the usual) brute-forcer. Any other tool should work too though.
Valid wordpress credentials: Elliot:ER28-0652
We now have a (low privileged) shell on the target machine as the service accountdaemon
.
As daemon
we are very limited in our rights. Hence, we start looking for other users on the system to pivot into. Enumerating the target manually by checking /etc/passwd
and some default directories we find the user robot
with a home
directory accessible by everyone.
It seems we found the hash of robot
s password. Let's crack it with john
:
Valid user credentials: robot:abcdefghijklmnopqrstuvwxyz
Upgrading our shell to a terminal and switching to the user robot
we can read the second flag and continue to escalate our privileges.
After checking some low hanging fruits (writeable /etc/shadow
, unusual cronjobs, ...) we come across an interesting SUID binary:
We are finally able to gain root
privileges on the target and can read the last flag.
During this box we found multiple weak points that could easily be fixed:
Disclosed sensitive information in robots.txt
Weak passwords for users (abcdefghijklmnopqrstuvwxyz
is not safe)
Default configurations of wordpress allow easy enumeration and brute-force attacks (enable fail-to-ban and disable xmlrpc.php
- or at least parts of it - if possible)
Too broad access rights of user files (don't allow home
access to everybody)
Saved credentials on disk (weak md5 hashes should not be left in the open)
Unsafe permissions for binaries (do not allow every user to run an application as root
)
Linux
While brute-forcing the basic login page is possible (no fail-to-ban active), it's also slow and very intrusive. But there's a second way we can check for credentials: xmlrpc
(), which we saw being active during the nmap
scan.
Basically, this endpoint allows us to query hundreds of credentials at once without a fail-to-ban mechanism. For more details on how to exploit xmlrpc.php
you can read the following article:
Based on this article I developed a multithreaded brute-forcer in python that can be found on my GitHub:
Using this script, we can finally brute-force the login and retrieve Elliot
s password. (The target IP changed due to a restart in the meantime.)
Having access to the admin panel, we can start to look around for other users, deleted articles and other things but don't find anything particularly interesting. However, with access to the theme editor we can now easily drop a web- or reverse shell, as is explained in detail here: .
Apparently, nmap
is allowed to run with root
privileges which definitely isn't the default. Searching for nmap
on gives us multiple examples for privilege escalation.