Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Mr Robot" System

Purpose of the Report

The purpose of this report is to detail the methodology, tools, findings, and techniques used to obtain root access on the Mr. Robot machine, identifying three hidden keys as part of the challenge objectives.

Methodology

The following structured approach was taken:

  1. Network Scanning

    • Conducted a port scan using Nmap to identify open services.

  2. Enumeration

    • Explored web services manually.

    • Retrieved sensitive files (robots.txt).

    • Enumerated hidden directories and potential entry points.

  3. Credential Discovery and Brute-Force Attack

    • Extracted and utilized a wordlist for password brute-forcing.

    • Identified a valid username through behavioral analysis of login error messages.

    • Performed a password attack to gain administrative access.

  4. Initial Access

    • Gained a web shell by exploiting theme editing functionalities in WordPress.

    • Established a reverse shell connection back to the attacker's machine.

  5. Post-Exploitation and Lateral Movement

    • Located sensitive files and cracked password hashes.

    • Switched users based on compromised credentials.

  6. Privilege Escalation

    • Identified binaries with SUID permissions.

    • Exploited an outdated and vulnerable version of Nmap to escalate privileges to root.

  7. Objective Completion

    • Located all three hidden keys as per challenge requirements.

Detailed Findings

Reconnaissance and Initial Discovery

  • Tool Used: Nmap

  • Command: nmap -Pn -sCV -F -T5 <target_ip>

  • Findings:

    • Port 22 (SSH): closed

    • Port 80 (HTTP): open

    • Port 443 (HTTPS): open

Upon accessing the HTTP service, the website presented a puzzle-like interface. Manual exploration revealed a robots.txt file containing:

  • A downloadable wordlist (fsocity.dic)

  • The first hidden key.

WordPress Enumeration and Credential Brute-Force

  • Tools Used: Dirbuster, wpscan, Hydra

Directory enumeration identified the presence of a WordPress login portal (/wp-login.php).

  • Username Enumeration: No users found via wpscan, but manual testing indicated that the username Elliot triggered a different error message, confirming its validity.

  • Password Attack: Using the extracted fsocity.dic wordlist and wpscan/Hydra, the credentials discovered were:

    • Username: Elliot

    • Password: ER*******

Gaining Initial Access

Authenticated into the WordPress dashboard, the attacker leveraged the theme editor to insert a reverse shell payload into the 404.php file.

  • Listener Setup: nc -lvnp 7777

Triggering the 404 page executed the payload, resulting in a remote shell.

The shell was upgraded to an interactive TTY using:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Post-Exploitation

Within /home/robot/, a second hidden key was identified but inaccessible without elevated permissions.

A file named password.raw-md5 contained a hashed password. Cracking the MD5 hash revealed the credentials for the robot user.

  • Command to switch user: su robot

Access as robot allowed retrieval of the second key.

Privilege Escalation

Searching for files with the SUID bit set:

find / -type f -perm -04000 -ls 2>/dev/null

revealed that nmap (version 3.81) was installed with elevated privileges.

Referencing GTFOBins, the outdated version of Nmap was exploited as follows:

nmap --interactive
!sh

A root shell was obtained, allowing access to the third and final hidden key.

Recommendations

Short-Term Actions:

  • Remove sensitive files (e.g., fsocity.dic, password.raw-md5) from publicly accessible directories.

  • Immediately update WordPress to the latest stable version.

  • Remove or restrict access to unnecessary SUID binaries such as outdated Nmap installations.

Long-Term Actions:

  • Implement proper file permission policies.

  • Regularly audit the filesystem for misconfigurations and sensitive data exposure.

  • Deploy Web Application Firewalls (WAF) to prevent unauthorized enumeration activities.

  • Enforce strong password policies and multi-factor authentication on all user accounts

Conclusion

The Mr. Robot machine was successfully compromised by chaining together multiple vulnerabilities:

  • Information leakage via robots.txt

  • Weak credentials and outdated WordPress version exploitation

  • Misconfigured file permissions and exploitable SUID binaries

This challenge highlights the critical importance of secure web development practices, system hardening, and proactive security monitoring.

PreviousWrite-upNextExecutive Report

Last updated