Scribd
Upload
70 views22 pages

Assignment MR Robot YBQ

The document details an exploitation assignment on a virtual machine, focusing on discovering the victim's IP and using various tools like nmap and Burp Suite to enumerate users and brute-force passwords for WordPress. It outlines the process of gaining access to the WordPress management interface, retrieving keys, and ultimately escalating privileges to root. The final keys obtained through the exploitation process are also documented.

Uploaded by

Yasir Qadri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views22 pages

Assignment MR Robot YBQ

The document details an exploitation assignment on a virtual machine, focusing on discovering the victim's IP and using various tools like nmap and Burp Suite to enumerate users and brute-force passwords for WordPress. It outlines the process of gaining access to the WordPress management interface, retrieving keys, and ultimately escalating privileges to root. The final keys obtained through the exploitation process are also documented.

Uploaded by

Yasir Qadri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Writeup Assignment.

Exploitation of MR Robot VM
Submitted by: Muhammad Yasir Bilal Qadri.

Net discover.

Here we find ip of our victim machine that contains


VMware, Inc. Vendor
Victim ip : [Link]
Now go to new terminal & run
nmap [Link] to see which services & ports
are open.

The website basically tells you a few things, and lets


you input some commands. After a quick test, those
don’t seem very useful.

So we run nmap script to find directories


nmap -script [Link] [Link]
here is few useful directories & login page to
wordpress
Let try wordpress login page

Now we navigate to [Link]


here we find first key

Now we try to open these two files by entering them


after ip
We found key in
[Link]:
073403c8a58a1f80d943455fb30724b9

Try to open [Link]


found some words that might be helpful
Let’s try WordPress
On visiting, the URL wp-login, we are presented with
a login form. Let us attack this login mechanism and
see if we can get access to the WordPress
management interface.
Gaining WordPress access
Initially, I tried with the user admin and some of the
words in [Link]. Nothing worked out and I did
not get any password matches. This made me
wonder whether I was going in the right direction.
Once I had given it some thought, I thought maybe
the user admin did not exist. This is where I thought
about looking for a way to enumerate users. A good
place to start this was trying to use the forgot
password functionality. Here when we enter a
random user which will not exist database, we can
see the following output. The Dir buster reveals that
WordPress and PHP are at play here.
Intvalid user admin
Since the application lets us know about the validity
of user, it makes the complexity of looking for
credentials much easier. Instead of a multiplicative
search, we need to do a additive search — We first
need to find a valid user, and then only look for that
valid user’s password.

• Brute-forcing username: Using the forgot


password functionality, we can bruteforce words
from the [Link] file to check if the response
changes. We can achieve this by using a tool
called Burpp Suite- which has an inbuilt
payload bruteforcer called ‘Intruder’. It is
basically point and click and hence very easy to
use. Once we initiate this attack we get the
following output.
• Most of the users will be invalid and will be
having a similar response length.
• The response length difference by a huge
number can indicate a different page response,
and this is a quick way to check whether we
have received an interesting response as
opposed to render the html page every time.
• We notice that we have noticed the valid
username as Elliot in the screenshot below.

Valid user found!


Brute-forcing passwords: Once we have figured
out the username, we can go back to solving the
original problem and try to bruteforce the credentials
for this found user. I used the same [Link]. The
technique to do this exactly as same as above using
Burpsuite, the only difference being a different URL
and different login form. We obtain the correct
credentials as shown below.

Valid password found!


• On logging in, we find that life is really kind. The
credentials we found had admin access to the
site.
Now we try to gain shell
Open msfconsole in terminal by entering command
=>
msfdb init && msfconsole
sle

Now search payload by entering command =>


search wordpress shell
here we found few exploits we use num 6 with
command (use 6) because we want to create shell
Now prepare payload
To view required options type command => show
options
Now set RHOST USERNAME & PASSWORD that
we got before
To set these type set RHOST (ip here)
like this
Now command (run or exploit)
we got error now command show advanced options
disable this option by command => set WPCHECK
false
session created successfully

Now spawn shell bye entering python command =>


(python -c 'import pty; [Link]("/bin/sh")' )
here we found 2 users
Now navigate to user Robot
Here we found 2nd key
cat [Link]
822c73956184f694993bede3eb39f959
Now open [Link].md5
robot:c3fcd3d76192e4007dfb496cca67e13b (that is
encrypted we have to decrypt it with free website like
crack station
here we done our decrypted kye is
(abcdefghijklmnopqrstuvwxyz)
Now try to gain access to root
After some time of exploring the system, I find an
interesting binary with the SUID bit set:
find / -perm -4000 -type f 2>/dev/null
Now we try to elevate in root so I found nmap run –-
interactive
Then use !ls this (exclamation command runs a shell
command)
Here we got last key
[Link]
04787ddef27c3dee1ee161b21670b4e4

You might also like