TryHackMe: Mr. Robot CTF

Walkthrough of Mr. Robot CTF

4 min readOct 8, 2023

Difficulty: Medium

Room URL: https://tryhackme.com/room/mrrobot

The machine did not respond to the ping request so -Pn was used as nmap scan was ran to find what ports were open and what services were running.

Commands used: nmap -Pn <IP> -A

It was known that port 80, 443 and 22 were running HTTP, HTTPS and SSH respectively.

Upon visiting the website we found some commands that can be run.

Inspecting the source code, there was nothing useful. In addition to searching for the source code, the examination of the robots.txt file, which is used by search engine crawlers to determine which files are allowed for parsing, was carried out.

We have two files now. One is a txt file which has first key whereas another is a dictionary.

Upon brute forcing the directories using the dictionary file we found, some interesting files were found. Among them, license was one of them. Upon browsing for license directory, we found base64 value in the source code.

Decoding base64, username and the password for login was found.

The username and password can be logged in from /login as directory brute forcing showed that the path exists.

Now, we are logged in, reverse shell from pentestmonkey can be uploaded via Editor in the Appearance menu. Header.php file was edited so that whenever the website loads, the header.php files get executed and we can get the connection back to our machine.

Listening on port 3333 we got the connection by going to /blog as only admin was allowed to see that page.

Spawning the /bin/bash using python, ls -la was run to see which file existed. We were logged in as daemon but the key file can only be read by robot. The second file names password.raw-md5 had md5 value.