Monday, June 18, 2018



- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine Mr-Robot.

- According to the description provided by the authors of Mr-Robot there are 3 keys or flags to be found:

- Mr-Robot can be downloaded from here:

-  Once downloaded and extracted with VirtualBox:


- Using netdiscover to find the IP that corresponds to the vulnerable machine Mr-Robot:

- Scanning with Nmap:

 - Scanning with nikto we find a lot of information:

- After reading nikto output we learn that a WordPress page is running with a login PHP script, and also some other pages interesting to be studied.

- Connecting to the website:

- Having a look to the source:

- Checking the wp-login.php page:

- When trying to connect to the admin page it hangs up:

- Visiting wp-links-opml.php we learn that the website is running the version WordPress/4.3.16, what is outdated:


3.1 - robots.txt

- Also, robots.txt gives us key information to start the exploitation process:

- Opening key-1-of-3.txt we find the 1st key:

3.2 - Dictionary fsocity.dic

- Going to fsocity.dic and saving it for further study

- Copying to a working directory:

- Opening with cat we find a very long file text composed of a lot of lines what seem part of a dictionary:



- The first 10 lines:

- Counting the lines there are 858160, so no doubt this is a very complex file to be handled:

- How many of the 858160 lines are unique? Just 11451, so removing the repeated lines would make it easier to deal with the file:

- Let's create a new file ufsocity.dic that contains only the non repeated lines of the original text file:


- Now, the file ufsocity.dic can be used for exploitation purposes as a brute force dictionary or wordlist.

3.3 - Dictionary attack with Hydra

- Hydra and ufsocity.dic help to perform a dictionary attack against the login page.

- Before launching the attack let's see what type of error message uses the login page, for instance using non valid admin:admin as credentials:

- As expected there is an error message Invalid username:

- Using this information (F=Invalid username) let's find a username without caring for the password (-p wedontcare):

- We found a user elliot that can be used to try a login, :

- The error message confirms that elliot is correct as a username:

- Launching again Hydra, now passing the user elliot (-l elliot), we discover a password ER28-0652:


- Using elliot:ER28-0652 the login is successful:

3.4 - Reverse shell with Metasploit

- Taking advantage of the fact we have valid credentials we can try finding a reverse shell with Metasploit:

- Searching for wp_admin_shell_upload:

- Using this exploit and setting options:

- Runnig the exploit it fails, giving this error message: "The target does not appear to be using WordPress":

- Locating the exploit into Kali's file system:

- Opening it and uncommenting the line that contains the previous error message:

- Reloading the module:

- Once modified and reloaded, the exploit is successful:

- Getting a shell from the meterpreter session we find that a limited user is running:

- Checking the IP:

- Importing a new shell:

3.5 - Finding the second key

- Opening /home:

- At the robot user's home folder there is the 2nd key, but we cannot open it at this moment:

- However we have access to this password hashed with MD5:

- Decrypting:

- Trying to run the user robot with the previous password, it works:

- Now the 2nd key is available:


- Going to the root account we receive a Permission denied message:

- Let's find out files being run with root privileges:

- For instance Nmap version 3.81 

- There is a vulnerability associated to Nmap being run with special privileges like SUID root:

- Due to the presence of the SUID, using Nmap interactive mode we are able to run commands with root privileges:

- For instance a new root shell:


- Going to the root folder we find the final 3rd key: