Tryhackme - Mr Robot CTF

Tryhackme – Mr Robot CTF

In this walk through, we will be going through the Mr Robot CTF room from Tryhackme. This room is based on my favorite TV show Mr Robot and the objective is to get root on the box and find 3 keys which are hidden as flags somewhere. The room is rated as Medium on the platform and covers basic enumeration, WordPress exploitation and some Linux privilege escalation stuff. On that note, let’s get started.

Mr Robot CTF

Machine Info:

TitleMr Robot
ObjectiveRoot the machine.

Task 1 – Connect the network

Task 1 - Connect the network

Task 1 - Connect the network

Task 2 – Hack the machine


  • Checking if machine is live or not.
Pinging the machine
  • Started off with our regular nmap scan enumerating services and their specific versions.
sudo nmap -sS -sV
nmap scan
  • Found HTTP/HTTPS running on port 80 and 443, indicating webserver.
Website running
  • Checking robots.txt, found some interesting directories.
  • Visiting “fsociety.dic” downloads a txt file, which might be a potential wordlist.
  • Visiting “key-1-of-3.txt”, gives us our first flag.
Key 1
  • I have fired up gobuster in the background. Got some hidden directories from its output.
gobuster dir -u -w ~/Desktop/common.txt
Gobuster scan
  • Visiting “dashboard” gives us a wordpress login page. It confirmed that it is running wordpress.
  • Now we want two things – username and password, to get inside. We already have a password list, downloaded earlier.
  • Unable to find any relevant leads by the gobuster findings, confirmed wordpress installation with /images and /wordpress.
  • Used wpscan to enumerate the users however no users found.
wpscan --url --enumerate u
Wpscan user enumeration
No Users found
  • Next, i tried bruteforcing username with Hydra. Got the username & password field using Burpsuite and then use the “fsociety.dic” file as username list and a test password to reveal the username.
Burpsuite Proxy intercept
username and password field
hydra -L fsocity.dic -p test http-post-form "/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username"
Getting username with hydra
  • Found usename elliot. Now we will use the same list to bruteforce the password. Before that, sort the wordlist as it includes many duplicates.
cat fsociety.dic | sort | uniq > passwords.dic

Initial Access:

  • Found the password using wpscan.
wpscan --url -U 'Elliot' --passwords passwords.dic --password-attack wp-login
Wpscan password bruteforce
  • Alternate attack vector – Bruteforcing takes a lot of time. We have found /license earlier. Navigating there, we found a base 64 string (ZWxsaW90OkVSMjgtMDY1Mgo=), decoding it in cyberchef.
Base64 encoded string
Username found
  • Finally inside the admin panel.
Wordpress Dashboard
  • Changing the 404 page code to PHP reverse shell code. Change IP within it before uploading.
Reverse shell edit
  • Executing the code by going on random URLs which will trigger the reverse shell. Hence, we finally got the shell.
netcat listener
  • We found a MD5 password hash for user “robot” and then we cracked it using and found the user’s password. Changing the user to robot and got the second flag.
MD5 hash
Key 2

Privilege Escalation:

  • When we try to change directory to root – Permission denied. We need to escalate our privileges.
Permission denied error
  • Enumerating the linux kernel version and checking it for known vulnerabilities, we found ‘overlayfs’ Local Privilege Escalation exploit.
uname -a
Linux Kernel 3.13.0 overlayfs Priv Esc exploit
  • Moving exploit to the target machine using wget, tried exploit but failed.
wget 37292.c
Exploit failed
  • Using linpeas to search for priv escalation vectors found SUID bit set to an intesting binary “nmap”.
./ | tee privlog.txt
Linpeas output
  • Exploiting the nmap binary using GTFObins and gaining “root” and pwning the machine.
GTFObins nmap
nmap --interactive
nmap> !sh
nmap --interactive
Root Shell
key 3

Question 1 – What is key 1?


Question 2 – What is key 2?


Question 3 – What is key 3?


Task 2 - Hack the machine

Also Read: Tryhackme – Metasploit: Introduction


Tryhackme - Mr Robot CTF

So that was “Mr Robot CTF” for you. Let’s sum it up quickly, we started off with our regular nmap scan, found a webserver running on port 80 and 443 respectively. We started off a gobuster scan in the background and proceeded with the manual enumeration for the meanwhile. On checking, robots.txt found an interesting txt file called fsociety.dic which contains potential usernames and passwords and on another directory, we got our First flag. The output from the gobuster indicates that the website is running a WordPress installation. On the basis of that, enumerated the same with Wpscan but found no users. Next, tried bruteforcing the users using fsociety.dic file with the help of Burpsuite and Hydra. Got our username – Elliot. Moving on, used the same wordlist to crack the password for the user using Wpscan. The next task was to get a shell access on the system. For that, edited the 404.php file with our PHP reverse shell and got our reverse shell with netcat listener. Found the second flag by cracking a MD5 hash with the help of Crackstation. The final battle was to get root. For that, we used GTFObins to exploit the SUID misconfiguration in nmap binary. This gives us the root on the system and helps us to recollect some of the Elliot’s memories of his dead father.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top