Mr Robot (Tryhackme) Room Walkthrough By Jonty Bhardwaj

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Mr Robot.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/mrrobot

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

ping 10.10.127.12

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -T4 -A 10.10.127.12

Now we can see that 3 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.

http://10.10.127.12/

We then searched if the webserver has a robots.txt file and found one.

From the robots.txt we see that there is a text file named key-1-of-3.txt on the server . Which means it’s the first of the three keys which we are looking for.

Lets open this text file on the browser and get the first key .

http://10.10.127.12/key-1-of-3.txt

After getting the first key, we then opened the next directory given in the robots.txt file — fsociety.dic

http://10.10.127.12/fsocity.dic

From this webpage we got a downloadable file which on opening we found that it is some type of wordlist.

We go to the main website and found no info of use . So we have to use gobuster to see additional hidden directories and see if we can gather some info from.

gobuster dir -u http://10.10.127.12/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100

From the gobuster search we found a login webpage on the server . But we don’t have any credentials to login.

So what we can do is make use of the wordlist we previously downloaded and try to crack the username and password from it .

We will use burpsuite to crack the username and password for the webpage.

We first sent the webpage to the intruder. Then cleared every variable and added the username variable only and launched the sniper attack with the fsociety.dic wordlist we downloaded earlier.

Adding the Username Variable .

Setting Payload as fsociety.dic wordlist.

Starting the attack and getting the cracked username as Elliot. We can see this as the length of the elliot message is different than the rest in the burpsuite webpage returned.

Now we will redo the same strategy for password with Elliot as username .

Now after running the attack and waiting for some time we found the password eventually.

Now the credentials we have collected are

Username : Elliot

Password : ER28–0653.

Lets use these credentials to login into the webpage see what information is present there.

We were successfully able to login into the webpage with the credentials.

Searching for any way inside the machine we found an Editor in which we can run code on the server and if we can use this editor to run a PHP reverse shell and get a shell back on our listner , then it will be great .

We started a listener on port 4444 on our kali machine.

nc -lnvp 4444

Lets paste the PHP reverse shell code into the editor and see whether we get a shell back or not.

We copied the php reverse shell from pentest monkey and pasted it in the editor and uploaded it .

http://10.10.127.12/wp-admin/theme-editor.php?file=archive.php&theme=twentyfifteen

We then opened the webpage in which we pasted our php-reverse shell and it ran our php reverse shell .

http://10.10.127.12/archive.php

Due to this we ended up getting a shell back on our listener.

Inside home directory we found a user named robot which contained 2 files

Second Key and password file in MD5 format.

cd /home/robot

We now have to crack the md5 password online to get the password for user robot.

We used the following website to crack the hash into string

https://md5.web-max.ca/index.php#enter

We got a string : abcdefghijklmnopqrstuvwxyz

We then escalate our privilege to user robot using the credentials

Username : robot

Password : abcdefghijklmnopqrstuvwxyz

To change user to robot we used the switch user command

su robot

After login into robot we entered the robot home directory and got the second key.

cat /home/robot/key-2-of-3.txt

Now lets escalate our privilege to root to get the third and final key.

We searched sudo permissions for user robot but the user doesn’t have any sudo permissions .

We then saw what suid permissions assigned to them. And we found a lot of tools using suid permissions .

find / -user root -perm -4000 -print 2>/dev/null

We can exploit this vulnerability to escalate our privilege to root.

We exploit the suid permission assigned to tool nmap with the help of website GTFO bins .

https://gtfobins.github.io/gtfobins/nmap/

nmap — interactive

!sh

cat /root/key-3-of-3.txt

Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!

--

--

--

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ASSEMBLE & Xangle Partnership

SYMFONOS 2 Walkthrough — From Brute Force to Manual Exploitation to Make Titan Gods Cry — VulnHub…

H.O.N. How to

Research Paper On Tcp Ip Protocol Diagram

Spyzie Review 2021 — Should We Look for an Alternate? | TheWiSpy

PhalaWorld AnnounceD Mint Strategy, XCM Integration of Khala and Moonriver is Complete| Phala…

Information Security Update: WannaCry ransomware attack, refocuses on why we need all security…

{UPDATE} KickMaster Foot Golf Premium Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonty Bhardwaj

Jonty Bhardwaj

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

More from Medium

TryHackMe | CTF | Walkthrough |Troll 😅😂😭

TryHackMe-Gotta Catch’em All!(Pokemon)- Walkthrough by Subhadip Nag(MrL0s3r)

Nmap Practical— TryHackMe Walkthrough

Cyber Santa HTB CTF — Writeup