TryHackMe — Mr. Robot WalkThrough

Source — Kaspersky

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

There are 3 key to collect to complete this room

Enumeration

Nmap Result
HTTP

Gobuster is a tool used to brute-force URIs, DNS, Vhosts and S3 buckets

GoBuster
GoBuster Result
Robots.txt
Key 1 of 3
fsocity.dic
fsocity File Size
wc result
Sort Unique Words
wc unique result
Login
WPScan
WPScan Result — Version
WPScan Result — Theme
WPScan Result — No Users
Burp Request
Hydra Username Enumeration

Note: You have to give the right wordlist to enumerate the username and put a random password.

Hydra Result
Hydra Password Enumeration
Hydra Result
Edit PHP File
Shell Upload
netcat listener
Shell Link
Shell
Interactive Shell
Password Hash
HashCat
HashCat Result
Login
Key 2 of 3
SUID Files
Nmap Version
Nmap — GTFOBins
Key 3 of 3

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store