Mr. Robot

The attackers first step is to identify the targets IP address. The attacker does this with netdiscover since the target machine is on the same network. Netdiscover quickly identifies our targets IP as 172.16.158.142.

Image description

The IP address was found. Now the attackers next step is to scan the IP address for any possible open ports and what services may be running on the ports. This is accomplished with a nmap scan. The nmap scan reveals 3 ports, 1 of which is closed (port 22).

Image description

Ports 80 and 443 are identified as being open and are also running apache. This means the host machine is hosting a website. The attacker opens up his web browser as seen in the video and navigates through the links. However, he did not notice anything susceptible on the website itself. The next step is to open up nitko to scan the website for any possible vulnerabilities on the server.

Image description

Nikto revealed that /robots.txt is able to accessed. The attacker uses curl to read the contents of /robots.txt and also found the first key. There was also another interesting dictionary file called /fsociety.dic. The attacker used wget to download both the key and the dictionary file.

Image description

The attacker then referred back to the original nikto scan and found that /license.txt was able to be read. This could potential provide more information regarding the server. The attacker used curl again to read the contents of this file and found some credentials that were encoded in base64.

Image description

Image description

Image description

The credentials were then decoded using base64 -d.

Image description

The attacker then referred back to the nikto scan and found a login page for wordpress. The attacker initially tried a random admin login and received an error that the user did not exist. The attacker then used the credentials from /license.txt and gained access to the wordpress home page.

Image description

Image description

The attacker was not able to progess any further without obtaining a shell on the target system. The attackers next step was to edit the theme page and add php code that contains a reverse shell.

Image description

The attacker created a new web page to test the php code.

Image description

Netcat was set up to listen for an incoming connection from the reverse shell. The connection was established and the attacker now has a shell on the target system. The attacker runs identification commands to determine the user and privleges of the shell. This reveals that the shell is not a root shell.

Image description

Some quick searching reveals the second key located in the /home/robot folder. There is also a md5 hash in the same folder. The attacker used cat to read the md5 file and found a username and a md5 password hash.

Image description

Image description

Image description

Image description

Image description

Image description

Written on January 25, 2018