TryHackMe Mr. Robot Boot2Root—Writeup
Welcome back to my writeup!! I’ll walk you through a detailed, step-by-step breakdown of how I successfully compromised the Mr. Robot Boot2Root Challenge on TryHackMe. We'll go through everything — from initial enumeration, exploiting vulnerabilities, gaining foothold, escalating privileges, all the way to full system compromise. Let's dive in!
Reconnaissance
First, we’ll perform a port scan using Nmap to identify any open services that could serve as entry points.
nmap -sC -sV --script http-enum <target_ip>
As shown in the scan results, ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. Taking a closer look, the http-enum NSE script did exactly what it's designed for — it successfully enumerated and revealed a list of directories and files hosted on the target web server.
Now let's visit the webpage
After executing various commands on the web server with no success, I went back to analyze the Nmap scan results more closely. It became apparent that several of the discovered paths were associated with WordPress, confirming that the site is indeed using WordPress as its content management system. Navigating to wp-login.php brought up the familiar WordPress login interface as usual.
Enumeration
I attempted to log in using some common username and password combinations, but none were successful. So now, let’s take it a step further by intercepting the login request with Burp Suite to analyze the process and look for any potential vulnerabilities.
Did you notice something? The request contains two parameters: log and pwd, which represent the username and password fields in the HTTP POST request. Additionally, the error message returned is Invalid. This suggests that we can use Hydra to brute-force the login by targeting these two parameters with the http-post-form method. This method allows us to automate the process of submitting multiple login attempts to identify valid credentials.
Hold on a second, before we proceed with brute-forcing, we need a wordlist. But where can we get one? After revisiting the Nmap scan results, I noticed something I initially overlooked: the presence of a robots.txt file on the web server. For context, robots.txt is a file used by websites to give instructions to web crawlers about which pages or directories should not be indexed. While it's meant for search engine bots, it can sometimes unintentionally reveal hidden or sensitive paths.
When I visit the robots.txt, these are the files
As shown, there are two interesting files: fsocity.dic and key-1-of-3.txt. To retrieve them, we can simply use the wget command to download the files directly to our terminal. And just like that, we’ve successfully obtained the first flag!
So, what exactly is fsocity.dic? After inspecting its contents, I found that it contains a list of words, many of which are related to Mr. Robot. Given the .dic extension, it’s evident that this is a dictionary file, intended for brute-force or wordlist-based attacks. However, one thing that stood out to me was the presence of duplicate entries within the file.
So what I've did is to sort the dictionary file and get only the unique once.
All I need to do is to save it to a new wordlist.
Exploitation
Now that we have the wordlist, let's start to bruteforce the wordpress login.
Our approach for this is straightforward, we’ll start by brute-forcing the username, since both the username and password are currently unknown. Once we’ve successfully identified a valid username, we’ll move on to brute-forcing the password to complete the login.
hydra -L wordlist.txt -p bruhbruh 10.10.245.109 http-post-form '/wp-login.php:log=^USER&pwd=^PASS^: Invalid' -t 10
Now what does our payload mean? ('/wp-login.php:log=^USER&pwd=^PASS^: Invalid') is the format Hydra uses to interact with web login forms. The first part, /wp-login.php, is the path to the login page. The second part, log=^USER&pwd=^PASS^, tells Hydra where to inject the usernames and passwords from our lists, it replaces ^USER^ and ^PASS^ with each attempt. Lastly, Invalid is the failure condition; Hydra looks for this keyword in the response to determine if the login attempt failed. If the word "Invalid" doesn’t appear, Hydra assumes the credentials were successful.
Now the username is elliot. It's time for our password! But first, take a look when I attempt to login as elliot.
Now, the error we receive is different from Invalid to Incorrect. So, to keep our brute-force working properly, we need to update the error condition in our payload accordingly.
hydra -l elliot -P wordlist.txt 10.10.245.109 http-post-form '/wp-login.php:log=^USER&pwd=^PASS^: Incorrect' -t 10 -VVV
Now that we have all the credentials elliot:ER28-0652, let's login!
We're in!! It turns out that elliot is the admin user!
Now all we need to do is to gain a reverse shell! Since we are the admin here, we can modify the .php files inside appearance tab.
We can modify this 404 template to gain a reverse shell, so I visit pentestmonkey for this and use his reverse shell payload for php. Here's the link for the payload.
All we need to do is to setup our listener.
nc -lnvp 4444
Browse a random directory to trigger the 404 template.
Let's spawn a pty shell for better prompt.
Yes, I already checked the the robot user, and their are 2 files inside it.
There's the second flag! But hold up..
Why permission denied? Well, if we check the file permissions, this is the result
If you're familiar with Linux file permissions, you’ll notice that the second key is owned by the user robot — and since we’re not logged in as robot, we don’t have permission to access it. Fortunately, there’s another readable file available to us: password.raw-md5.
I've checked the content and this is the result.
Looks like an MD5 hash, let's crack it using john!
Let's save the hash to our local machine
Now let's crack it using john!!
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash
It turns out that the password of robot is full alphabet! Now let's switch to user robot and get the 2nd flag!
su robot
We're now user robot!!!
Privilege Escalation
Our objective now is to gain root access by escalating privileges.
find / -type f -perm -04000 2>/dev/null
This command is used to search the entire filesystem (/) for regular files (-type f) that have the SUID (Set User ID) permission bit set (-perm -04000). SUID allows users to execute a file with the permissions of the file owner, typically root. This is often used by system utilities that need elevated privileges. The part 2>/dev/null is used to suppress error messages, such as "Permission denied", by redirecting standard error (2) to /dev/null. This command is commonly used in privilege escalation during penetration testing or system auditing to find potential security risks.
This is the strangest part, it has Nmap!!
It's unusual to find a tool like this on a CTF machine. When I executed it, this was the output.
This seems to be an older version of Nmap since it includes an interactive mode. I launched it in interactive mode and saw this.
As shown here, this command is available. From what I remember, entering a command that starts with an exclamation mark, like !whoami, triggers privilege escalation and will return as root.
It works!!! It returns as root! Now to get a root shell, just change the whoami to sh.
We're root!!
ANNOUNCEMENT FROM KUR0SH1R0
I’ve decided to step away from CTFs and any hacking-related activities for now. With midterm exams coming up, I need to concentrate fully on my studies and make sure I’m prepared. It’s a short-term sacrifice, but I know this focus will help me perform better in the long run. Once the exams are behind me, I’ll dive back into the challenges and continue working towards my goals. Adios!
Last updated