Mr.robot walkthrough

This post is the walkthrough of Mr.robot, you can download vm from [here],151/), the author is json

attack machine
target machine
during the testing, the vm crashed, after I rebuild this vm, the IP address is

use Nmap check open port and services:
nmap check port 80, the web page is beautiful, and it provides 6 commands, I tried all the commands but get nothing.
web Use nikto find the directory, the robots.txt can be accessed and there is a /admin URL.
nikto Access to robots.txt, find two files: fsocity.dic and key-1-of-3.txt.
The fsocity.dic is a dictionary which may be useful in the future
key1 Then I check the pages, find it's a WordPress login page
I try to use the default username and password admin:admin, got an invalid username, then I remind that Mr robot is Elliot, then I try elliot, got an invalid password.
wps elliot and we modify the fsocity.dic file:

cat fsocity.dic | sort -u > new  
wpscan -u --username elliot --wordlist /home/Mr.Robot/new  

find pass get the password ER28-0652. Log in, modify the themes, insert PHP reverse shell to the header, then I submit a new post to this WordPress blog, check this post, get a shell:
get shell Check the home page, find a robot file, there are two files: key-2-of-3.txt and password.raw-md5.
I can't open key file, due to the privilege issues, but I can open passowrd.raw-md5 file:
find a md5 encoded password for user robot.:
decode it, get the password is "abcdefghijklmnopqrstuvwxyz"
switch to robot.

find / -user root -perm -4000 -exec ls -ldb {} \; >/tmp/setuid  

find there is a nmap on this server
nmap run it, check the help page:
help find a --interactive mode, check it.

robot@linux: nmap --interactive  
nmap>help [enter]  

help execute command, get shell
root get the thrid key
3key done, amazing.