Vulnhub : Mr Robot Walkthrough

Suhel Kathi
7 min readFeb 11, 2022

--

About Vulnhub

VulnHub offers offline virtual machines, allowing users to practice without competing with other learners. There’s no need to worry about consistent internet access, high pings, or latency. Users can set up their own private labs to practice and learn new skills.

EXECUTIVE SUMMARY

This Vulnerability Assessment & Penetration Testing(VAPT) was performed during my winter holiday The detailed report and our findings are described below.

OBJECTIVE

Network security is not only concerned about the security of the computers at each end of the communication chain; however, it aims to ensure that the entire network is secure.

Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network.

The primary goal of network security are Confidentiality, Integrity, and Availability. These three pillar of Network Security are often represented as CIA triangle.

My Lab Setup

I am running a Windows OS with VMWare installed. For this specific exercise, I have 2 virtual machines. The first is a Kali linux VM. The second is the virtual machine for Mr-Robot 1. Both VM are on NAT mode.

About Mr Robot: 1

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Goal is to find all three. Each key is progressively difficult to find.

link : https://www.vulnhub.com/entry/mr-robot-1,151/

Disclaimer

All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

Reconnaissance

sudo arp-scan –l : To find out the mr-robot IP Address

Arp-scan is a low-level network discovery tool used to associate physical (MAC) addresses to logical (IP) addresses. It’s used to identify network assets which may not normally be captured by network scanning devices.

nmap –script http-enum.nse

It Enumerates directories used by popular web applications and servers.

Here I found /robots.txt file. So I browsed in that particular path

Finally I found the Key-1-of-3.txt in /robots.txt.

Key 1 = 073403c8a58a1f80d943455fb30724b9.

Searching Second Key

In /robots.txt I had found one more thing fsocity.dic

I tried to install that dictionary file by wget http://192.168.57.131/fsocity.dic

Wget is the non-interactive network downloader which is used to download files from the server even when the user has not logged on to the system and it can work in the background without hindering the current process. GNU wget is a free utility for non-interactive download of files from the Web.

After successful install I tried to to count the line in a particular dictionary by using wc –l fsocity.dic.

wc command is used to know the number of lines, word count, byte and characters count etc.

858160 Lines in a particular dictionary.

So tried to sort out by using sort fsocity.dic >fsocitysorted.dic

After sorting I check the file there are so many repeated words so sorted that also by using sort fsocity.dic | uniq > fsocitysortuniq.dic.

Now in the above nmap –script scan we had seen so many directories in those I found /wp-login.php.

Try to visit in that particular path in browser and found this

Now we have to find username & password of a particular page so I view these particular ./fsocitysortuniq.dic file. And I tried multiple random movie character names as a Username. Finally I found elliot as a username .

Now Finding the password of user Elliot

For password I had used wpscan

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes.

And findout the password : ER28–0652

Now entered the username & password in browser and get successfully logged in

After Successful logged in trying to get shell. For shell I am using msfconsole

MSFconsole provides a command line interface to access and work with the Metasploit Framework. The MSFconsole is the most commonly used interface to work with the Metasploit Framework. The console lets you do things like scan targets, exploit vulnerabilities, and collect data.

In msfconsole searching for wordpress shell and found the payload to execute on target

Now using that payload and setting usename: elliot & password: ER28–0652,Rhost: 192.168.57.131 & and set Wpcheck as a false

Then in meterpreter I just type shell to spawn a shell(The shell is the Linux command line interpreter. It provides an interface between the user and the kernel and executes programs called commands) on the box and then check what directory we are in and which user we are. Then I changed directory by using cd / (cd command in linux known as change directory command. It is used to change current working directory) and used ls for list everything that is there.

I changed directory to the home folder, this seems to have just one folder in it called robot, so I changed into the robot folder and it looks like we have found our next key (Key 2) and an md5 file.

So I try to open key-2-of-3.txt by using cat(The cat command is a utility command in Linux. One of its most commonly known usages is to print the content of a file onto the standard output stream) but I got permission denied so open the next passwordmd5 file and get robot user password after cracking it with crackstation.

I need to switch the user to robot so I can get the key 2 so I try su robot but get a message telling me that su must be run from terminal.So for shell I tried python -c ‘import pty; pty.spawn(“/bin/bash”)’.

Now get the proper shell

Successfully logged in as a robot

Finally got the key 2

822c73956184f694993bede3eb39f959

SEARCHING KEY 3

For key 3 we need root access so I found out Nmap is set to run as root I used the ‘find’ command with query parameters for file permission set as 4000. This generated a list of possible files. One of them is the executable nmap.

Earlier versions of nmap had an interactive mode, which allowed execution of shell command within the interactive mode. Fortunately, the version on this box allowed it. I entered the interactive mode, and open a new shell. On checking the user identity, I find that I am now functioning as root.

To retrieve the 3rd key, I searched for a file which has name beginning with ‘key-3-’. The 3rd key file is located in the root directory.So I changed the directory to the root and found the key 3

This is the end. Thank you for reading this write-up.

--

--