# TryHackMe Mr. Robot Boot2Root—Writeup Welcome back to my writeup!! I’ll walk you through a detailed, step-by-step breakdown of how I successfully **compromised the Mr. Robot Boot2Root Challenge** on TryHackMe. We'll go through everything — from initial enumeration, exploiting vulnerabilities, gaining foothold, escalating privileges, all the way to full system compromise. Let's dive in! **Reconnaissance** First, we’ll perform a port scan using Nmap to identify any open services that could serve as entry points. `nmap -sC -sV --script http-enum `

We use the http-enum NSE of nmap to enumerate directories and files of the target web server.

As shown in the scan results, **ports 22 (SSH), 80 (HTTP), and 443 (HTTPS)** are open. Taking a closer look, the http-enum NSE script did exactly what it's designed for — it successfully enumerated and revealed a list of directories and files hosted on the target web server. Now let's visit the webpage

After executing various commands on the web server with no success, I went back to analyze the Nmap scan results more closely. It became apparent that several of the discovered paths were associated with WordPress, confirming that the site is indeed using WordPress as its content management system. Navigating to **wp-login.php** brought up the familiar WordPress login interface as usual. **Enumeration** I attempted to log in using some common username and password combinations, but none were successful. So now, let’s take it a step further by intercepting the login request with **Burp Suite** to analyze the process and look for any potential vulnerabilities.

Did you notice something? The request contains two parameters: **log** and **pwd**, which represent the username and password fields in the HTTP POST request. Additionally, the error message returned is **Invalid**. This suggests that we can use **Hydra** to **brute-force** the login by targeting these two parameters with the **http-post-form** method. This method allows us to automate the process of submitting multiple login attempts to identify valid credentials. Hold on a second, before we proceed with brute-forcing, we need a wordlist. But where can we get one? After revisiting the Nmap scan results, I noticed something I initially overlooked: the presence of a **robots.txt** file on the web server. For context, **robots.txt** is a file used by websites to give instructions to web crawlers about which pages or directories should not be indexed. While it's meant for search engine bots, it can sometimes unintentionally reveal hidden or sensitive paths. When I visit the robots.txt, these are the files

As shown, there are two interesting files: **fsocity.dic** and **key-1-of-3.txt**. To retrieve them, we can simply use the **wget** command to download the files directly to our terminal. And just like that, we’ve successfully obtained the **first flag**!

So, what exactly is **fsocity.dic**? After inspecting its contents, I found that it contains a list of words, many of which are related to *Mr. Robot*. Given the **.dic** extension, it’s evident that this is a dictionary file, intended for brute-force or wordlist-based attacks. However, one thing that stood out to me was the presence of **duplicate entries** within the file.

So what I've did is to **sort** the dictionary file and get only the unique once.

As you can see, the unique once are only 11451, really save our time.

All I need to do is to save it to a new wordlist.

**Exploitation** Now that we have the wordlist, let's start to bruteforce the wordpress login. Our approach for this is straightforward, we’ll start by brute-forcing the **username**, since both the username and password are currently unknown. Once we’ve successfully identified a valid username, we’ll move on to brute-forcing the **password** to complete the login. *`hydra -L wordlist.txt -p bruhbruh 10.10.245.109 http-post-form '/wp-login.php:log=^USER&pwd=^PASS^: Invalid' -t 10`* Now what does our payload mean? (***'/wp-login.php:log=^USER\&pwd=^PASS^: Invalid'***) is the format Hydra uses to interact with web login forms. The first part, **/wp-login.php**, is the path to the login page. The second part, **log=^USER\&pwd=^PASS^**, tells Hydra where to inject the usernames and passwords from our lists, it replaces **^USER^** and **^PASS^** with each attempt. Lastly, **Invalid** is the failure condition; Hydra looks for this keyword in the response to determine if the login attempt failed. If the word "Invalid" doesn’t appear, Hydra assumes the credentials were successful.

Now the username is **elliot**. It's time for our password! But first, take a look when I attempt to login as elliot.

Now, the error we receive is different from **Invalid** to **Incorrect.** So, to keep our brute-force working properly, we need to update the error condition in our payload accordingly. *`hydra -l elliot -P wordlist.txt 10.10.245.109 http-post-form '/wp-login.php:log=^USER&pwd=^PASS^: Incorrect' -t 10 -VVV`*

Now that we have all the credentials **elliot:ER28-0652,** let's login!

We're in!! It turns out that elliot is the admin user! Now all we need to do is to gain a reverse shell! Since we are the admin here, we can modify the **.php** files inside **appearance** tab.

We can modify this 404 template to gain a reverse shell, so I visit pentestmonkey for this and use his reverse shell payload for php. Here's the [link](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) for the payload.

All we need to do is to setup our listener. *`nc -lnvp 4444`* Browse a random directory to trigger the 404 template.

Let's spawn a pty shell for better prompt.

Yes, I already checked the the robot user, and their are 2 files inside it.

There's the second flag! But hold up..

Why permission denied? Well, if we check the file permissions, this is the result

If you're familiar with Linux file permissions, you’ll notice that the second key is owned by the user **robot** — and since we’re not logged in as robot, we don’t have permission to access it. Fortunately, there’s another readable file available to us: **password.raw-md5**. I've checked the content and this is the result.

Looks like an MD5 hash, let's crack it using **john!** Let's save the hash to our local machine

Now let's crack it using **john**!! *`john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash`*

It turns out that the password of robot is full alphabet! Now let's switch to user robot and get the 2nd flag! *`su robot`*

We're now user robot!!!

**Privilege Escalation** Our objective now is to gain root access by escalating privileges. *`find / -type f -perm -04000 2>/dev/null`* This command is used to search the entire filesystem (**/**) for **regular files** (**-type f**) that have the **SUID (Set User ID) permission bit** set (**-perm -04000**). SUID allows users to execute a file with the permissions of the file owner, typically root. This is often used by system utilities that need elevated privileges. The part **2>/dev/null** is used to **suppress error messages**, such as "Permission denied", by redirecting standard error (**2**) to **/dev/null**. This command is commonly used in **privilege escalation** during penetration testing or system auditing to find potential security risks. This is the strangest part, it has **Nmap**!!

It's unusual to find a tool like this on a CTF machine. When I executed it, this was the output.

This seems to be an older version of Nmap since it includes an interactive mode. I launched it in interactive mode and saw this.

As shown here, this command is available. From what I remember, entering a command that starts with an exclamation mark, like **!whoami**, triggers privilege escalation and will return as root.

It works!!! It returns as root! Now to get a root shell, just change the **whoami** to **sh.**

We're root!!

**ANNOUNCEMENT FROM KUR0SH1R0** I’ve decided to step away from CTFs and any hacking-related activities for now. With midterm exams coming up, I need to concentrate fully on my studies and make sure I’m prepared. It’s a short-term sacrifice, but I know this focus will help me perform better in the long run. Once the exams are behind me, I’ll dive back into the challenges and continue working towards my goals. Adios!