Jul 14, 2021
TryHackME Walkthrough | Mr. Robot
Based on the Mr. Robot show
This walkthrough is written as a part of Master certificate in cybersecurity (Red Team) that I am pursuing from HackeU.
Connecting to VPN
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
Machine Information
As you can see our VPN IP :- 10.9.224.117
After Deployment we will get Machine <IP>
Reconnaissance
Starting with a nmap scan
nmap -sS -sV -A <IP>
Open ports:
22 : SSH
80 : http
443 : https
Checking the website on port 80
Checking robots.txt
- Found a dictionary fsocity.dic
- first key key-1-of-3.txt
Using gobuster to scan the IP address
Navigating to /wp-login, now trying to use burp suite intercept
Now intercepting the login request in burpsuite and using the dic file we found to brute force it
Capture request in burp suite and forward request to intruder tab.
Select sniper attack type Select the username as parameter.
Load fsocity-1.dic dictionary as data input for username, start the attack.
Found user name, now find password with same dictionary file
Logged inwith found username and password to wp-login page as the site is based on wordpress
Search for page where php-reverse shell can be uploaded to get reverse shell.
Found 404.php > updated php-reverse-shell here
Start listener nc on kali machine, and browse the updated template page in browser.
nc -nlvp 4444
When you browse to the updated page will get shell
Inside the robot directory we found the password which is encoded in MD5 for user robot. First we will reverse the hash and find the password and we will change to superuser so that we can escalate our privileges and find rest of the keys.
Try to spawn shell since we cannot change to superuser without interactive shell:
python -c ‘import pty; pty.spawn(“/bin/sh”)’ python -c ‘import pty;
pty.spawn(“/bin/sh”)’
Found 2nd flag!
Escalate privileges and search for 3rd flag!
Search for users privilege permission:
find / -perm /4000 -type f 2>/tmp/2
Found the 3rd Flag and Completed the room
