This is the walk-through for vulnerable machine ROBOT VM. There are 3 flags present in this machine, our task is to get access into the machine and read those flags.
Below I am explaining the methodology for the Penetration Testing and getting access into the machine, as a normal user then followed by escalating the privilege and become a root user in the machine.
To know more about What is VAPT | Stages of VAPT | Why VAPT needed? Click here – What is VAPT – Vulnerability Assessment and Penetration Testing?
Methodology
Below is the step-by-step methodology used for penetration testing in detail with an explanation of each process:
1. Enumeration and Information Gathering
First I have initiated the port scanning for the vulnerable machine and found the following ports are open using Nmap.
Command: nmap –sV –p- 192.1168.56.109 –T5
Then try to browse the IP address and found that there was an application running on port number 80.
After that, I have initiated Nikto scanning on the host address to explore other files and directories present in the server.
I found the robots.txt file present in the server which contains some files among which one of the files is our first flag “key-1-of-3.txt”.
There is another dictionary file is present, named “fsocity.dic”, which contains a list of data. I have downloaded both the files into my local system using “wget”.
After downloading the files into my local system, I read the first flag.
Again going back to the Nikto scanning result, I found there was a WordPress CMS running on the server. So I have tried to browse the admin URL of that and I found the WordPress login page.
2. Brute Force for the Username and Password:
Going further, I have tried to brute force the WordPress login with the dictionary file to get some valid user names.
I have intercepted the login request in the Burp suite and using the intruder module, I have initiated the brute force scanning to enumerate a valid user.
For every true or false user value on the response side, it is showing 200 ok responses. So we need to check the content length of each response.
Bingo we got a user name “Elliot”, which shows “The password you entered for the username” “is incorrect” means the user is a valid one but the password is wrong.
Next, I did the same brute force for the correct password for the user “Elliot” using the same dictionary file.
By looking into the response code as ‘302’ for one request, I got that the request is redirecting somewhere and also I found some differences in content length. By going through the response body I found that the request is redirecting to the /wp-admin/ which is the dashboard page.
This means we got the correct password for the user name “Elliot”.
Password: “ER28–0652”
(Password is not present in 501 line position in the dictionary file. For demo only I have copied the password to this line position. Actually, it will take little time to search the password from the dictionary file.)
Now, will try to log in with “Elliot/ER28–0652” and I have logged in to the site.
3. Exploitation
Now, I have tried to get some shell access into the server.
In WordPress CMS if you will go to the ‘appearance’ section there is an ‘edit’ option will be there, using that we can edit some of the pages with our own code/script.
In the below screenshot, I took the “404.php” page, as it’s present in the beginning you can try with any other pages.
I have copied the PHP reverse shellcode into the page and updated my IP address and the listing port as 192.168.56.106 (Kali IP) and 4444.
PHP Reverse Shell link used: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Note: I have used this reverse shell, you can use any other or create your own using ‘msfvenom’ and use that.
After updating the page, I have to browse that page and run my listener on port 4444 using Netcat.
In the above screenshot, you can see that, I got a reverse shell into the machine with user “daemon”.
After getting into that I have tried to spawn my shell into interactive mode, but the terminal process was not set with the command “/bin/bash — I “.
In this shell, we cannot switch to any other user, as this will not act as a terminal.
After that will go to the /home directory and found there is a robot directory is present. By accessing that directory we got our second flag of the machine i.e. key-2-of-3.txt
While trying to read that file I got ‘Permission Denied’, as the demon user is not authorized to read that file.
There was one more file present “password.raw-md5”, when I tried to open that file I found other user details ‘username: robot’, and the password was encrypted.
It is an md5 encryption, so by encrypting the data I found the password for the ‘robot’ user.
Then I have tried to switch to robot user, but was unable to do that as my terminal service was not enabled after spawning.
So I have executed one more python spawning command and get the interactive shell with terminal service enabled.
Command: python –c ‘import pty; pty.spawn (“/bin/bash”)’
Here, I have switched to robot user and read the second flag of the server.
4. Privilege Escalation
Now, I need to get the third flag of the server and my work is done. For that, I need to escalate the privilege to the root user.
To escalate the privilege I have tried so many methods, but here I am describing the easy and simple method.
I have escalated the privilege using the application which was set with the SUID bit.
First, we need to run the command to get all those applications set with SUID bit and root user access.
Command: find / -perm –u=s –type f 2>/dev/null
Here, we got the list of applications with a suid bit set.
Nmap is the tool that we can run with interactive mode and we can execute a shell in that mode and this is set with SUID bit so we can get access to all those files that can be accessible by the root user.
After running Nmap in interactive mode I have executed the shell command and while checking for the “id”, we can see the robot user is assigned with euid=0 and assigned to groups also ‘0’.
There are other applications that are also present, if the SUID bit is set to those applications, you can use them to get the shell and escalating the privilege. (like Vim editor)
Finally getting into the root directory and found the third flag of the machine i.e. key-3-of-3.txt
There are other methods also present to get access into the system. So try other methods also.
Happy Hacking!!!!!
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.