Mr-Robot is machine on TryHackMe platform and I’m gonna root it today let’s start
The nmap scan shows that there are 3 open ports
22 ssh
80 http
443 httpsChecking the web page it gives us a message additional to some command to use
They aren’t very useful since they just play some clips from the series so I am gonna start gobuster to check for avaiable directories
So the directories we found were
sitemap:useless
intro:useless
wp-login:
readme:useless
robot:usefulreadme directory was just a joke from the creator so let’s lust continue and check others
mrrobot.thm/robots was useful since it was the road for the first flag
And it also have a file called fscoity.dic
going to key-1–0f-3.txt as a directory will display the first flag or the first key
Now check the fsocity.dic and download it
after downloading we find that’s it a big wordlist going back to the gobuster results we can see the wp-login directory which is a wordpress login page
after trying some random userames from the mr.robot series the user elliot is available now we need the password which must be in the wordlist we downloaded
Intercept the proxy with burp then send it to the intruder then add our wordlist
Now we are ready start your attack and take a coffee break it should be fast
After 4 cups of coffee we finally got the password you can notice here that the wrong passwords return responses with the same number of characters which is “4104” but the correct password’s response is only “1075” long so it must be it
Yep it was correct and redirected us to the wp-admin page too
I was in a similar situation before and I managed to change any page in the website to a php shell so let’s try the same here
Here we can see the source code for the 404 page and we can edit it so we will replace all of this with our php shell
After editing the 404 page and updating it I visited mrrobot.thm/anythinggoeshere and running the listener in the terminal
nc -lvnp <port>We got a shell as user daemon & I wasn’t able to read the 2nd key
But we still can read the password.raw-md5 it has the hash for the user robot and it was very easy to crack let’s login as user robot and see what we can do
And here we are got the 2nd key
after running sudo -l searching for capabilities I found nothing useful but searching for SUIDs displayed /usr/local/bin/nmap we can execute the interactive mode in nmap and get a shell from it
nmap --interactive
!sh
Bingo.. We rooted the machine and got the 3rd key successfully
Hope it was easy & simple writeup for Mr.robot machine on THM
