Mr. Robot – Walkthrough

A number of friends and I decided to take on Mr. Robot from VulnHub, See the link Mr. Robot. Shout out to Jason for putting this VM together. I liked the landing page, especially the link to COMMODORE 64 Emulator! Now let’s get right to it.

I threw nmap at it and looks like we only have port 80 & 443 open.

nmap -p- -sT -A mrRobot

Now, I’m going to fire up Nikto and see what we get

Nikto -h mrRobot

Looks like we got ourselves a WordPress site, This is what I got browsing to license

On the other hand, robots.txt contains some juicy information for us.

key-1-of-3.txt contains our first key, I did try to crack the key which you can tell it’s an MD5 hash thru multiple online crackers with no luck.

Browsing to fsocity.dic will prompt you to download a wordlist file. Now that we got the password list, all we need is a valid username to brute force our way in. So, I made list of names of all the characters from the show Mr. Robot to try in wp-login.php starting with Elliot. and then I got the following, which tells me Elliot is valid username my friends

I used Hydra with the option “:S=Location” which is what you’re suppose to get in http-response if you were to login successfully.

Bingo! we found password for Elliot, who turned out to be the administrator of the WP site.

Now it’s time to check Metasploit and see if there are any interesting wp-plugin exploits, the following exploit caught my eye as it grants you remote shell to the backend server, which is exactly what I need.

With the help of  google, I was able to download and activate this plugin

Let’s go back to Metasploit and try it out

use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOST mrRobot
set WP_USER Elliot

We’ve successfully got remote shell to the backend server, Now after some poking around I found the following in user robot home directory

Unfortunately, I was unable to cat key-2-of-3.txt however I was able to cat password.raw-md5 which later found to be the following password thru online MD5 cracker “abcdefghijklmnopqrstuvwxyz”. Let’s hop to the VM console and give it a try. And sure enough, I was able to login and get the second key.

This leave us with the third and final key, usually in those type of situations you need to find a way to elevate to root and start looking for the final gem. With the help of RTFM (Red Team Field Manual) book I was able to find the following.

And then I used nmap to gain root shell and cat the content of the third and final key key-3-of-3.txt

Happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *