Capture The Flag

TryHackMe — Mr. Robot CTF Writeup

This post is a walkthrough of the famous Mr.Robot CTF virtual machine. I used the platform TryHackMe though you can also find this VM on Vulnhub. The goal is to find three hidden flags.

Tryhackme website

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

Nmap Scan:

nmap scan

Having ports 80 and 443 indicates we have a website running, so we open and on your browser.

Mr robot themed website

The website is Mr. Robot themed website after running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.

So now we know it is a website, so we should enumerate the directories by performing a gobuster scan and follow the basic enumeration like viewing the robots.txt page if it’s available or not.

Gobuster Scan

Now we’ll be employing a tool called gobuster, which uses an existing wordlist of possible common directories name and can attempt to load every directory name therein wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at /usr/share/wordlists/dirbuster).

TryHackMe — Mr. Robot CTF Writeup 1
Gobuster Scan

Now lets check the directories which returned a status code 200.

TryHackMe — Mr. Robot CTF Writeup 2
TryHackMe — Mr. Robot CTF Writeup 3

So, here in the license directory, we got some base64 encoded string lets to decode it and see what we get.

TryHackMe — Mr. Robot CTF Writeup 4

These could be the login credentials of the wp-admin page but before testing that we should look at the robots.txt file as it might contain some valuable information.

TryHackMe — Mr. Robot CTF Writeup 5

Here as we can see the robots.txt file contains tons of valuable information. It has some dictionary named fsocity.dic and the first flag i.e key-1-of-3.txt. So let’s goto these directories and download the dictionary as if in some case we got the username and password incorrect we could do a dictionary attack on the login page with the help of hydra.

TryHackMe — Mr. Robot CTF Writeup 6
TryHackMe — Mr. Robot CTF Writeup 7

Now let’s go to the login page and enter the credentials we found earlier in the license directory.

TryHackMe — Mr. Robot CTF Writeup 8
TryHackMe — Mr. Robot CTF Writeup 9

After entering the credentials we got to know that it is a WordPress website version 4.3.1, now generally in these scenarios we generally try to upload a reverse shell, we will upload pentester monkey’s PHP reverse shell in Appearance → Editor and then select 404.php on the right.

TryHackMe — Mr. Robot CTF Writeup 10

You just have to change the IP address to your IP address and any port that you desire.

You can see your IP address with the help of ifconfig command there in tun0 your IP address will be marked.

TryHackMe — Mr. Robot CTF Writeup 11
ifconfig command

Now after changing the IP address and port no. paste your script in the edit section of 404.php

TryHackMe — Mr. Robot CTF Writeup 12

Now save the template and open netcat to listen the port 9999 in my case by firing the command in the terminal.

nc -nlvp 9999

Now either visit the 404.php or curl it using the terminal to receive the reverse shell.

TryHackMe — Mr. Robot CTF Writeup 13

Now see the netcat connection for the reverse shell must have been executed.

TryHackMe — Mr. Robot CTF Writeup 14
Voila!! we opened a reverse shell
TryHackMe — Mr. Robot CTF Writeup 15
TryHackMe — Mr. Robot CTF Writeup 16
We cannot read key-2-of-3.txt

As you can see here we need to be user robot to see the key-2-of-3.txt file but we can still se the password.raw.md5 file, So let’s do that

TryHackMe — Mr. Robot CTF Writeup 17

Now we know that it is an MD5 hash, let’s try to decode it using a website named crackstation.

TryHackMe — Mr. Robot CTF Writeup 18
Voila!! we cracked the hashed password

After getting the password for the user robot now let’s try to switch the user.

Switching user to robot

TryHackMe — Mr. Robot CTF Writeup 19
To switch users, we need a terminal and we cannot open the terminal using /bin/sh -i
TryHackMe — Mr. Robot CTF Writeup 20
so we open the terminal using this method.

TryHackMe — Mr. Robot CTF Writeup 21
opening the key-2-of-3.txt

Privilege Escalation

Now, to capture the 3rd flag we need to upgrade from user to root for this we need to figure out which programs have SUID of at least 4000.

TryHackMe — Mr. Robot CTF Writeup 22
We see nmap here

The logic is that Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the Nmap scanning techniques do not work if you don’t run it with root privilege.

However, there is a functionality in Nmap older versions where you can run Nmap in an interactive mode which allows you to escape to the shell. If Nmap has SUID bit set, it will run with root privilege and we can get access to the ‘root’ shell through its interactive mode.

TryHackMe — Mr. Robot CTF Writeup 23
Key 3 captured

Personal conclusion over tryhackme

Personally, I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. I would try to upload writeups of rooms that I found interesting but for now, I hope you also learned something from this writeup.

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.


6 replies on “TryHackMe — Mr. Robot CTF Writeup”

“Appreciating the time and effort you put into your blog
and in depth information you provide. It’s awesome to come across a blog every once in a while that isn’t the same old rehashed
information. Fantastic read! I’ve bookmarked your site and I’m adding your RSS feeds to
my Google account.”


you are actually a good webmaster. The website loading velocity is amazing. It seems that you are doing any distinctive trick. In addition, The contents are masterpiece. you’ve done an excellent process on this subject
Regards Hannah Flack


Attractive section of content. I just stumbled upon your
site and in accession capital to assert that I acquire in fact enjoyed account your
blog posts. Anyway I will be subscribing to your augment
and even I achievement you access consistently fast.


I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.


It’s in reality a great and helpful piece of information. I am glad that you shared this useful info with us. Please keep us informed like this. Thank you for sharing.|


Leave a Reply

Your email address will not be published. Required fields are marked *