Mr. Robot Walkthrough

Aditya Jha
5 min readFeb 27, 2023

--

MR. Robot is a vulnerable machine which is available on tryhackme and it is based on a linux machine and it this machine is inspired by the famous web series Mr. Robot.

So let’s start with our very first step,

We will get the ip address and then we will run the Nmap scan.

Command: nmap -T5 -p- -A <target ip>

Result of nmap:

As we can see port 80 is open, and a webpage is running:

We can do directory fuzzing with the tool using ffuf.

Command: ffuf -w<path/to/wordlist>/FUZZ -u http://<target ip>:FUZZ

Result of ffuf:

Here we got many directories but the most interesting are robots and wp-login.

Let’s check robot directory first.

Here we got this, these are also directories,

Let’s get both of them:

<target ip>/fsocity.dic

<target ip>/key-1-of-3.txt

So the fsocity seems like a dictionary file and key is the flag.

We got our first flag:

Fsocity.dic file is containing passwords, we saw another directory named as wp-login.

Let’s see what’s there.

Here is a wordpress login page so we have to do dictionary attack to get the username and password to login into wordpress.

If we put admin admin as id and password then it showing

Invalid username.

But if I put Elliot as username and a random password then it is showing that the password we have entered for username Elliot is incorrect, That means the username is Elliot and we have to do dictionary attack to get the password.

Fsocity.dic is containing a lot of similar passwords so firstly we will sort them and take out all the unique words and store those unique words in a new file.

Command: cat fsocity.dic | sort | uniq > newf.dic

Now we will use wpscan tool to do dictionary attack to get the password.

Command: wpscan — url <target ip> -P <path/to/newf.dic> -U Elliot

After sometime we got the password:

Now we will login with this credential.

Now we are successfully logged in into this wordpress,

Now we have to upload a php reverse shell script to get the reverse shell.

We can upload the shell in plugin options.

Plugin>add new>upload

We can get a php reverse shell script from google or pentestmonkey.

In that script, we have to change the default ip address with our own ip address.

The file has been successfully uploaded, Now go to media>library, you’ll see that uploaded php file now we will click on that file and copy the link and we open that link in the browser in order to get the reverse shell.

But before that we have to setup a listener first,

Command: nc -nlvp 1234

After opening that link in the browser we got the shell, but it is not a tty shell so firstly we will spawn a tty shell.

Command: /usr/bin/python -c ‘import pty; pty.spawn(“/bin/bash”)’

But we are a guest user right now so we don’t have any privilege right now. Let’s Go to home/robot directory.

Here are two file, we don’t have permissions to open the key file but we can open that md5 file.

We can crack this hash online and we will get a password to change user as robot.

Now we have got the password.

Let’s login through the password.

Password: abcdefghijklmnopqrstuvwxyz

Command: su robot

We are robot now:

Now we can read the flag 2.

Now we will search for something that can we use to escalate our privilege as root user.

Command: find / -perm -4000 2>/dev/null

Here we can see that we can use nmap to escalate our privilege as root user.

There is a nmap interactive mode which can help us to pop a root shell.

Command: nmap –interactive

Now we will use the command: !sh

To pop the root shell.

Now our euid is root and we on a root shell.

Flag 3 is in the root directory.

And here we got the root flag:

And we have found all the three flags and our machine has been completed.

IF YOU LIKE THIS BLOG THEN KINDLY LET ME KNOW IN THE COMMENTS BELOW,

YOU CAN ALSO CONNECT WITH ME ON INSTAGRAM AND LINKEDIN.

--

--

Responses (1)