Mr. Robot Walkthrough (Vulnhub)

Source: USA Network

Source: USA Network

Anyone who is inspired to partake in a challenging course such as the Offensive Security Certified Professional (OSCP), or Licensed Penetration Tester-Master (LPT (Master)), knows that practice makes you a better hacker. Vulnhub is a great resource to find purpose-built virtual machine images to practice on. This image is based on a popular TV show, and we are going to walk through exploiting it together.

The first step in the hacker’s methodology is enumeration, so that is where we will start, with an Nmap scan of our target’s IP.

Nmap scan performing enumeration of the target

We have found a web service, as well as SSH running. We will look deeper at the web service to see if there is anything there that we can take advantage of.

Mr. Robot based scenario - #fsociety

No typical commands work here, so I choose to run Nikto against the server to see if there are any glaring vulnerabilities.

Alright, we can see the directory contents. There is a file there, so let us grab it.

Captured the dictionary file but still need usernames

We've found a dictionary file for a password attack, but we do not have any usernames yet... let us keep looking.

Running Nikto reveals that a WordPress site is being hosted at that IP, which is obviously a high-value target any time we find it.

Nikto is web server scanner which performs comprehensive tests against web servers.

We can jump right in to the WPSCAN and see what we can come up with.

WPSCAN is a WordPress vulnerability scanner.

There are tons of vulnerabilities and I am not positive any are going to lead anywhere, so I will start a brute force on the user "root" while I do some more enumeration.

Brute force attack against the system administrator account or “root”.

Through our Nikto results, we saw a few more pages to check out. At /readme (grammatical mistake is courtesy of the page).

Based on prior WP knowledge, we know that there should be a login page, so let us check it out at /wp-login:

WordPress login page

Now that we have a login page and a dictionary file, let us try to login. This time, we will use WPScan again, and we will use the file as a user file and a pass file. And... we are in.

Successful credentialed login using the dictionary file.

We can do a lot more to the server now that we have credentialed access.

Since the environment I am in does not lend itself to a reverse shell, and I am unable to upload a php file, I must be a bit more creative.

There is a project called the WordPress Exploit Framework (WPXF) that I have not had a chance to play around with, so this might be a good opportunity. After a brief break for configuration and installation, we have WPXF running on Kali.

WordPress Exploit Framework (WPXF)

This worked well, and I was able to find a new user, "robot", and a password of "abcdefghijklmnopqrstuvwxyz". Now we will jump into ssh and see if we can figure the rest of this challenge out.

SSH using robot as the user name

Since we have found 2 of 3, we know there is one more key out there. Now we will try a search using regex to find the file.

Without root access, we are not going to find it, but luckily Doc Sewell just reminded me that Nmap runs as root during our LPT-M class, and I saw that Nmap is present, so we will try to exploit this.

Found key 3 using Nmap

So, that is all there is to this machine. Using the knowledge that we have from the LPT-M and general hacker’s methodology, we were able to easily exploit the box and find all three keys. If you are interested, check out the VM at,151/ and give it a shot.

Photo - John Tagita Jr.jpg

Author Bio

John Tagita Jr. is a Sr. Cybersecurity Engineer intern with Alpine Security. He holds a variety of industry certifications including CISSP, GIAC, GCFA, and CCFE. John has a passion for forensic investigations and breach response cases, application security, penetration testing, and blockchain technology. He holds degrees in Information Technology, Cyber Security, and Criminal Justice. John is currently active duty in the US Air Force service as a Cyberwarfare Training Chief.

When John is not working in the cybersecurity arena, you may find him developing Capture the Flag competitions, such as Hacktober or Hack The Arch, or competing himself. He also is passionate about security research and networking with other like-minded hackers. John loves spending the rest of his down-time with his beautiful wife and his four devilishly handsome sons.

Link up with John on social media at on Twitter, and on LinkedIn.