# Technical Report

## <mark style="color:purple;">Technical Security Report: "Mr Robot" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

The purpose of this report is to detail the methodology, tools, findings, and techniques used to obtain root access on the *Mr. Robot* machine, identifying three hidden keys as part of the challenge objectives.

***

### <mark style="color:purple;">Methodology</mark>

The following structured approach was taken:

1. **Network Scanning**
   * Conducted a port scan using Nmap to identify open services.
2. **Enumeration**
   * Explored web services manually.
   * Retrieved sensitive files (robots.txt).
   * Enumerated hidden directories and potential entry points.
3. **Credential Discovery and Brute-Force Attack**
   * Extracted and utilized a wordlist for password brute-forcing.
   * Identified a valid username through behavioral analysis of login error messages.
   * Performed a password attack to gain administrative access.
4. **Initial Access**
   * Gained a web shell by exploiting theme editing functionalities in WordPress.
   * Established a reverse shell connection back to the attacker's machine.
5. **Post-Exploitation and Lateral Movement**
   * Located sensitive files and cracked password hashes.
   * Switched users based on compromised credentials.
6. **Privilege Escalation**
   * Identified binaries with SUID permissions.
   * Exploited an outdated and vulnerable version of Nmap to escalate privileges to root.
7. **Objective Completion**
   * Located all three hidden keys as per challenge requirements.

***

### <mark style="color:purple;">Detailed Findings</mark>

#### Reconnaissance and Initial Discovery

* **Tool Used:** Nmap
* **Command:** `nmap -Pn -sCV -F -T5 <target_ip>`
* **Findings:**
  * Port 22 (SSH): closed
  * Port 80 (HTTP): open
  * Port 443 (HTTPS): open

Upon accessing the HTTP service, the website presented a puzzle-like interface. Manual exploration revealed a `robots.txt` file containing:

* A downloadable wordlist (`fsocity.dic`)
* The first hidden key.

#### WordPress Enumeration and Credential Brute-Force

* **Tools Used:** Dirbuster, wpscan, Hydra

Directory enumeration identified the presence of a WordPress login portal (`/wp-login.php`).

* **Username Enumeration:**\
  No users found via wpscan, but manual testing indicated that the username **Elliot** triggered a different error message, confirming its validity.
* **Password Attack:**\
  Using the extracted `fsocity.dic` wordlist and wpscan/Hydra, the credentials discovered were:
  * Username: **Elliot**
  * Password: **ER\*\*\*\*\*\*\***

#### Gaining Initial Access

Authenticated into the WordPress dashboard, the attacker leveraged the theme editor to insert a reverse shell payload into the `404.php` file.

* **Listener Setup:**\
  `nc -lvnp 7777`

Triggering the 404 page executed the payload, resulting in a remote shell.

The shell was upgraded to an interactive TTY using:

```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

#### Post-Exploitation

Within `/home/robot/`, a second hidden key was identified but inaccessible without elevated permissions.

A file named `password.raw-md5` contained a hashed password. Cracking the MD5 hash revealed the credentials for the `robot` user.

* **Command to switch user:**\
  `su robot`

Access as `robot` allowed retrieval of the second key.

#### Privilege Escalation

Searching for files with the SUID bit set:

```bash
find / -type f -perm -04000 -ls 2>/dev/null
```

revealed that **nmap** (version 3.81) was installed with elevated privileges.

Referencing GTFOBins, the outdated version of Nmap was exploited as follows:

```bash
nmap --interactive
!sh
```

A root shell was obtained, allowing access to the third and final hidden key.

***

### <mark style="color:purple;">Recommendations</mark>

**Short-Term Actions:**

* Remove sensitive files (e.g., `fsocity.dic`, `password.raw-md5`) from publicly accessible directories.
* Immediately update WordPress to the latest stable version.
* Remove or restrict access to unnecessary SUID binaries such as outdated Nmap installations.

**Long-Term Actions:**

* Implement proper file permission policies.
* Regularly audit the filesystem for misconfigurations and sensitive data exposure.
* Deploy Web Application Firewalls (WAF) to prevent unauthorized enumeration activities.
* Enforce strong password policies and multi-factor authentication on all user accounts

***

### <mark style="color:purple;">Conclusion</mark>

The *Mr. Robot* machine was successfully compromised by chaining together multiple vulnerabilities:

* Information leakage via `robots.txt`
* Weak credentials and outdated WordPress version exploitation
* Misconfigured file permissions and exploitable SUID binaries

This challenge highlights the critical importance of secure web development practices, system hardening, and proactive security monitoring.