TryHackME Walkthrough | Mr. Robot

Aditya Kumar
4 min readJul 14, 2021

--

Based on the Mr. Robot show

This walkthrough is written as a part of Master certificate in cybersecurity (Red Team) that I am pursuing from HackeU.

Connecting to VPN

  1. Download OpenVPN configuration setting from TryHackMe platform
  2. Connect to TryHackMe by running the command in kali terminal:

sudo openvpn /pathtoOVPNfile.ovpn

Machine Information

As you can see our VPN IP :- 10.9.224.117

After Deployment we will get Machine <IP>

Reconnaissance

Starting with a nmap scan

nmap -sS -sV -A <IP>

Open ports:

22 : SSH

80 : http

443 : https

Checking the website on port 80

Checking robots.txt

  1. Found a dictionary fsocity.dic
  2. first key key-1-of-3.txt

Using gobuster to scan the IP address

Navigating to /wp-login, now trying to use burp suite intercept

Now intercepting the login request in burpsuite and using the dic file we found to brute force it

Capture request in burp suite and forward request to intruder tab.

Select sniper attack type Select the username as parameter.

Load fsocity-1.dic dictionary as data input for username, start the attack.

Found user name, now find password with same dictionary file

Logged inwith found username and password to wp-login page as the site is based on wordpress

Search for page where php-reverse shell can be uploaded to get reverse shell.

Found 404.php > updated php-reverse-shell here

Start listener nc on kali machine, and browse the updated template page in browser.

nc -nlvp 4444

When you browse to the updated page will get shell

Inside the robot directory we found the password which is encoded in MD5 for user robot. First we will reverse the hash and find the password and we will change to superuser so that we can escalate our privileges and find rest of the keys.

Try to spawn shell since we cannot change to superuser without interactive shell:

python -c ‘import pty; pty.spawn(“/bin/sh”)’ python -c ‘import pty;

pty.spawn(“/bin/sh”)’

Found 2nd flag!

Escalate privileges and search for 3rd flag!

Search for users privilege permission:

find / -perm /4000 -type f 2>/tmp/2

Found the 3rd Flag and Completed the room

--

--

Aditya Kumar
Aditya Kumar

Written by Aditya Kumar

B.Sc IT Graduate with C.E.H certification currently pursuing Offensive Security (Red Team). Passion for MMA and Kick-boxing & Automobile Enthusiast.

No responses yet