Pentesting and Privilege Escalation with Mr. Robot
Mr. Robot Introduction
1h 21m

In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.


Hi, within this section, we're going to continue with VulnHub and we're going to solve Mr-Robot CTF. So, if you have heard about this, I believe you know that this is a TV Series. So, 'mr. robot', if you search for it, you will see that this is actually a TV Series. And apparently, about a hacker and people really love it. I hadn't had the opportunity to watch it yet, but I will in some future, I believe. And if you have watched it, maybe it will be easier for you to solve this challenge because there might be some tips, I don't know. So, I'm just going to go in and try and hack this box. So, over here, we are in the VulnHub one more time. We're going to use this a lot during this course because it's free and they have awesome CTFs, they have awesome vulnerable machines over here. So, in this case, as you can see, Mr-Robot: 1 is released in 2016 and you can still find the OVAs over here. So, make sure you download one of the OVAs and make sure you read the description as well. And, as you can see, this has three keys hidden in different locations. Again so, we're going to capture three flags. So, it says that, "Each key is progressively difficult to find.", which is good. And it says that, "The VM isn't too difficult." But maybe it's a beginner, maybe it's like an intermediate level of thing. So, we don't have anything else over here. So, make sure you download it. Of course, I downloaded it for you in order not to make you wait. So, I'm just going to 'double-click' on this OVA. And just Install it on my VirtualBox. So, let me just do that. 'Double-click' over here and just leave this as it is. We can change it later on. Just 'Import' this. And make sure you wait until it's imported. So far, so good. Let me come over here and just Open the 'Settings'. As you can see, this is Ubuntu (64-bit). And I'm going to come over here. Maybe, I can just make it like one GB or something like that, but we're not going to use it anyway. So, you're free to use it with 500 MB as well. So, I'm going to come over here. And I'm not going to change anything regarding to Display, Storage, or Audio. Of course, I'm going to change the network. I'm going to bring it into 'NAT Network' and just make sure that I 'Allow' the Promiscuous Mode over here. Make sure your Kali Linux and your Mr-Robot is on the same network. So, if you're using another way to do that, it's perfectly fine. I'm using NAT Network. So, make sure you put it on the same network. So, I'm going to Open the Mr-Robot over here as well. And here you go. Of course, we're not going to do much with inside of Mr-Robot VM over here. I'm just going to see if we have the IP address. And as you can see, we don't have any IP address over here. It just says, Mr-Robot, and that's it. So, I'm going to go back to my Kali and let me close this down and just give some credentials over here. Of course, we're going to start by finding the IP address of the target machine. So, let me open my 'Terminal'. I'm going to change my keyboard first. So obviously, you don't have to do that. I'm going to run an 'nmap' over here in order to just see my target IP. Of course, you can do that with this Netdiscover as well. Just make sure that you run it against your own IP address or own IP range to be exact. And then, wait until you get this response. So, here you go. We have the scan over here. Our Nmap scan is completed. So, I did that against If you have another IP range, just go for that. So, over here, we have, which is our target machine, apparently. And as you can see, we already see some open ports over there, like 22, 80, 443. So, we definitely have some web server going on and we have one SSH port closed. Great. So, we know that this is going to be a web penetration test from beginning because we already have seen this result and we only have the HTTP and HTTPS service running over here. Of course, I'm going to make a more intense scan for Nmap against on this target over here. But again, we know that there is a web server. If you want, you can open Zenmap and do this with Zenmap anytime you want. I'm not going to do that. I'm just going to do it with Nmap and just take the notes into my CTF folder as usual. So, I'm going to go, '-T4 -A', which is our intense scan with verbose on. And I'm going to just go for the over here. And, of course, I forgot to put a dash over there inside of verbose parameter. And as you can see, it already started. So, we're going to get back some results from the Nmap. We actually see the 443 and the 80 port open right now. So, it already discovered that. Maybe we have some other ports, maybe we can do this for all ports. -p-, or for some UDP ports, or TCP ports. But again, this is good. So, here we go. The SSH is closed. We only have 80 open, And we have some kind of information regarding to HTTPS as well. So, we definitely know that this is going to be a Linux machine. Great. So, this is a Linux machine. And I don't know yet if we have some old kernel over here or like a kernel exploit in the Linux going on. So, what I'm going to do? I'm going to go into my 'Documents' folder. So, I'm going to write 'cd Documents/CTF'. So, I'm going to create a new directory over here called 'MrRobot'. And I'm going to create a new notes.txt file over there like we used to do in the previous sections. So, I'm going to nano into that, 'nano notes.txt'. And I'm going to copy everything that we see over here just to save our Nmap results. So, I'm going to copy this and open the 'notes.txt' and paste it over there and hit 'Control + O' and 'Control + X' in order to save this and quit. Like that. Great. Now, I'm going to clear this up because we can reach it anytime we want. And to be honest, we don't have so much going on in the Nmap scan as well. So basically, I'm going to go for over here to see what's there in the website. So, here we go. We have something going on in the website. I believe there's some animation going on over there. But, even though it's a CTF and even though it's an animation, I believe, this is a quality work. So, we are getting this. We are getting this user experience. And better yet, we are presented with some terminal over here. So, let me zoom in a little bit. Maybe we can just scan here like quickly read what's written over there. Since this is a TV Series, I believe, we're going to have to deal with this kind of information very much during this penetration test. But again, it's a good user experience. So, I don't have problem with that. I'm just going to see the page source over there. It says, "You are not alone." Great. So, this is HTML. But we have one JavaScript over here and we have some commented out things. Let me try this terminal first to see if that works or not. If I write 'prepare', for example. Here you go, we are presented with kind of maybe GIF, maybe kind of video over there, and it's not laggy at all. It's very good, I believe. So, we are fsociety and there are some things going on. I bet these are related with the TV Series itself. We don't understand, is it... At least I don't understand this. But, maybe there is some tip in order to solve this challenge. So, I'm just scanning over here. So, here you go. We are presented with the terminal one more time. If I just write 'help' as instructed, I can see the other commands like fsociety. So, let me just run 'fsociety' and see what is fsociety. It says that, "Are you ready to join the fsociety?" I don't know. Let me just write 'help' and let me write the 'inform'. Here you go. You're presented with some kind of carousel over here. We can swipe the images. And I don't even read these descriptions. Maybe they are very important to solve the CTF. I'm just going to go with the flow right now. And if we cannot solve it, I can come back and just read them later on, okay? So, I'm being lazy about this. So, I'm going to write 'question'. And here we go, there are some kind of political things going on over there, okay? Let me just close this down. And let me run 'help' one more time. So, we have 'wakeup'. And see what is 'wakeup'. And here you go. Again 'wakeup' runs a video for us, and it seems like the previous video that we have seen in the beginning. These are the same guys, I believe. This is supposed to be Wall Street, I don't know. Let me see. Here you go. We didn't see much, and finally we have the 'join'. If I write 'join' over here. So, it says that, 'you don't know me, I've been watching you, I've been fighting for you.' Great. And if you're ready to join me into your email address, okay? So, of course, I'm not going to give my actual email address, but I'm just going to give some fake one over here. It says that 'we will be in touch.' Okay? Maybe we should have given our actual email address. Maybe it will just send us some tip. But I don't know about that. And as you can see, we cannot find very much over here, right? So, even though we can come over here we can see the things going on. It's very cool. We're presented with like a terminal in the website itself. It's very cool, but we didn't get any tip. So, what I'm going to do, I'm going to use DirBuster or DirB. So, if you don't know about this, this is a tool in order for you to discover hidden pages. Like it has a dictionary, or you supply a dictionary to it, and it tries every page you supply one by one, like it checks to see if it has an admin page, it checks to see it has a log in page, something like that, okay? So in order to do that, first, we're going to have to give the URL, which is HTTP And over here, we're going to have to choose the number of threads. So, if we lower this number, like if we choose 10 threads it will be slower. If we choose 200 threads, for example, if we say go faster, it will be much faster but it will consume much more CPU power, okay? So, for the scanning type, I'm going to do a list-based brute force and we're going to supply a list. So, of course we can create our own list for that. But I'm just going to show you some list that comes pre-built with Kali Linux. So, go to your root like this and find the usr, the user, okay? Or not var I believe, it's supposed to be the user. Yep, let me just go back from here by clicking on this. So, let me find the user. Here we go, a user share. AndA there should be a wordlist folder over here. Here you go. Now, this is the thing that we are looking for. If you come into this wordlist folder, you can see there are a couple of wordlist over here, like for dirbuster, for dirb and for other things as well. So, since we are using dirbuster, I'm just going to go for the dirbuster. And basically, you want to use this medium.txt wordlist for CTFs, or you can use a small one, but a small one is really small. It doesn't have that kind of very much extensive wordlist going on over there. So, I'm going to go with the medium. And if you have like a basic CTF wordlist that you always use, just use it. When you just start the scan, it will just try to find the solution for you. It will just try to find the results to you, okay? And as you can see, the current number of running trials is 200, so make sure you do this as well. Not to run this on 10. And you can see the results over there. So, over here we see the index.php and every other thing as well. So, if we filter this for response or if we just order this by response, then we can get much better view, because 200 means it's okay, 200 means it's okay. And 404 as you might know, means there is no such thing, like if we get a 500 it can be a server error. So, we're going to basically look for 200s, and here we go. We have some lead. As you can see we have wp-login, wp-admin. So, we have admin as well. So, these are indicators that this website has WordPress installed. Okay. We have images folder over here. So, even though it uses WordPress or not, I don't know, but WordPress is installed and it's live, so we can try to see if there is any vulnerability regarding to WordPress, right? And there are a couple of folders over here that we can check as well in order to see what's going on. So, this skin isn't completed yet, but we got what we need I believe. So, I'm going to run a nikto here as well. So, nikto is a tool to understand the vulnerabilities inside of a web server or website. We generally use it for CTFs, not for actual pentesting really, but it's very efficient in CTFs. So, make sure you run this 'nikto-h' and your URL. So, h for host, okay? So, here you go. It started to find things over here as well. So, we're trying to gather lead, right? So, we don't know what's going to happen yet, even though it has WordPress, this is a good lead. But maybe there is nothing wrong with the WordPress. There is no vulnerability at all. Then it wouldn't be just our way in, but of course, we're going to just look for that. So, as you can see, time to finish is displayed like seven days over here. So, this is going to take some time. But again, I believe we got what we need from the dirbuster. So, we don't have to wait for seven days. You can just wait for a couple of minutes more and then stop it. We're going to continue solving this within the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.