WordPress Penetration Testing and Nmap Interactive – TryHackMe OSCP: Mr Robot

We covered WordPress Penetration Testing and Linux privilege escalation using vulnerable version of Nmap.

Getting In and Finding the First Key

My first step is always reconnaissance. I add the machine’s IP address to my hosts file and see that it’s running a web server. The main page is a cool, interactive terminal, but it’s just for show. I fire up dirbuster to look for hidden directories and quickly find that it’s a WordPress site.

This leads me to the robots.txt file, which is always a good place to check for clues. And just like that, I find the first key (K1) hidden inside.

Nmap scan results

Directory search scan results

Cracking WordPress and Getting a Shell

I also find a wordlist file named fsociety.dic, which is a dead giveaway that I’ll need to do some password cracking. I use Hydra to brute-force the WordPress login form, and after a bit of work, I’m in the admin panel.

Now that I’m in, my goal is to get a reverse shell. I try editing a few plugin files, but I run into some permission issues. So, I switch tactics and decide to edit a theme file instead. I inject a PHP reverse shell into the 404.php file of one of the themes. I set up a Netcat listener on my machine, activate the theme, and boom, I have a shell on the server.

Injecting the WordPress default theme with PHP reverse shell

inding the Second Key and Escalating Privileges

With my initial shell, I start looking around for the next key. I find key2.txt in the /home/robot directory, but I don’t have permission to read it yet. I also find a file containing the password hash for the robot user.

I take the hash offline and use John the Ripper to crack it. With the password in hand, I switch to the robot user and can now read the contents of key2.txt to get the second key (K2).

Root Access and the Final Key

For the final step, I need to get root access. I search for any SUID binaries on the system, which are programs that run with the permissions of their owner (in this case, hopefully, root). I find that Nmap has the SUID bit set.

This is a known vulnerability in older versions of Nmap. I run nmap --interactive, which drops me into an interactive Nmap shell. From there, I can simply type !sh to spawn a shell, and because Nmap was running as root, my new shell is also a root shell!

I navigate to the /root directory and find the third and final key (K3). Challenge complete!

Technical Commands

Here’s a list of the key commands I used to conquer this machine:

• Directory Brute-forcing:
  • dirbuster
• WordPress Scanning and Cracking:
  • wpscan
  • Hydra
• Netcat Listener:
  • nc -lvnp <port>
• Password Cracking:
  • john --format=raw-md5 --wordlist=<wordlist> <hash_file>
  • john --show <hash_file>
• Privilege Escalation:
  • su robot
  • find / -perm -u=s -type f 2>/dev/null
  • nmap --interactive
  • !sh (inside Nmap’s interactive mode)
• Basic Navigation and File Reading:
  • ifconfig
  • id
  • cd <directory>
  • ls
  • cat <file>

TryHackMe OSCP: Mr Robot Answers

Complete Video Walkthrough