Mr Robot: Gaining Persistent Access via SSH Exploitation: A Real

PROJECTSBLOGS

Winston.I

4/2/20252 min read

In offensive security, even the most common services—like SSH—can become vectors for compromise when misconfigured or left unpatched. During a recent test conducted in a controlled environment, I encountered a target system that, while appearing secure on the surface, was vulnerable to exploitation. What followed was a successful attack chain that resulted in persistent remote access.

Interestingly, the method mirrored a tactic famously demonstrated in the Mr. Robot series—where a hacker group exploited SSH to plant malware and gain a foothold in a corporate network. While dramatized for television, the attack method shown in the show is rooted in very real techniques used by adversaries and ethical hackers alike.

1. Initial Discovery: Exposed SSH Service

Through reconnaissance, I discovered an SSH service running on port 2222. Early signs suggested a hardened setup—banner obfuscation and minimal metadata exposure.

However, enumeration of the SSH daemon revealed it was running a version with a known remote code execution vulnerability (CVE [REDACTED]).

2. Exploiting the SSH Service

After confirming the vulnerability, I developed an exploit tailored to the specific version of OpenSSH in use. Once executed, the exploit granted shell access to the system as root.

This closely resembles the technique portrayed in Mr. Robot, where attackers used a remote access vector via SSH to drop malware into a compromised network. In this case, I reproduced that method using bash.

3. Payload Deployment & Persistence

Access alone doesn’t demonstrate the full risk. For a long-term compromise, I uploaded a custom payload designed to establish persistent access. This included:

  • Creation of a hidden administrative user

  • A scheduled task (cron job) that re-established a reverse shell on reboot

  • Minimal footprint to avoid detection by basic logging tools

As seen in Mr. Robot, persistence is key for adversaries seeking control and leverage. The payload was designed with stealth in mind as seen in Mr Robot.

Conclusion

This exercise served as a reminder that even widely used and seemingly secured services like SSH can pose significant risks when misconfigured. The parallels to the Mr. Robot attack scenario highlight how fiction often draws from reality—and why organizations must be proactive in assessing and hardening their environments.