We covered WordPress Penetration Testing and Linux privilege escalation using vulnerable version of Nmap.

Getting In and Finding the First Key

My first step is always reconnaissance. I add the machine’s IP address to my hosts file and see that it’s running a web server. The main page is a cool, interactive terminal, but it’s just for show. I fire up dirbuster to look for hidden directories and quickly find that it’s a WordPress site.

This leads me to the robots.txt file, which is always a good place to check for clues. And just like that, I find the first key (K1) hidden inside.

Nmap scan results

WordPress Penetration Testing and Nmap Interactive - TryHackMe OSCP: Mr Robot

Directory search scan results

WordPress Penetration Testing and Nmap Interactive - TryHackMe OSCP: Mr Robot

Cracking WordPress and Getting a Shell

I also find a wordlist file named fsociety.dic, which is a dead giveaway that I’ll need to do some password cracking. I use Hydra to brute-force the WordPress login form, and after a bit of work, I’m in the admin panel.

Now that I’m in, my goal is to get a reverse shell. I try editing a few plugin files, but I run into some permission issues. So, I switch tactics and decide to edit a theme file instead. I inject a PHP reverse shell into the 404.php file of one of the themes. I set up a Netcat listener on my machine, activate the theme, and boom, I have a shell on the server.

Injecting the WordPress default theme with PHP reverse shell

WordPress Penetration Testing and Nmap Interactive - TryHackMe OSCP: Mr Robot

inding the Second Key and Escalating Privileges

With my initial shell, I start looking around for the next key. I find key2.txt in the /home/robot directory, but I don’t have permission to read it yet. I also find a file containing the password hash for the robot user.

I take the hash offline and use John the Ripper to crack it. With the password in hand, I switch to the robot user and can now read the contents of key2.txt to get the second key (K2).

Root Access and the Final Key

For the final step, I need to get root access. I search for any SUID binaries on the system, which are programs that run with the permissions of their owner (in this case, hopefully, root). I find that Nmap has the SUID bit set.

This is a known vulnerability in older versions of Nmap. I run nmap --interactive, which drops me into an interactive Nmap shell. From there, I can simply type !sh to spawn a shell, and because Nmap was running as root, my new shell is also a root shell!

I navigate to the /root directory and find the third and final key (K3). Challenge complete!

Technical Commands

Here’s a list of the key commands I used to conquer this machine:

  • Directory Brute-forcing:
    • dirbuster
  • WordPress Scanning and Cracking:
    • wpscan
    • Hydra
  • Netcat Listener:
    • nc -lvnp <port>
  • Password Cracking:
    • john --format=raw-md5 --wordlist=<wordlist> <hash_file>
    • john --show <hash_file>
  • Privilege Escalation:
    • su robot
    • find / -perm -u=s -type f 2>/dev/null
    • nmap --interactive
    • !sh (inside Nmap’s interactive mode)
  • Basic Navigation and File Reading:
    • ifconfig
    • id
    • cd <directory>
    • ls
    • cat <file>

TryHackMe OSCP: Mr Robot Answers

What is key 1?

 

What is key 2?

 

What is key 3?

 

Complete Video Walkthrough

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles