OnSystemShellDredd (easy)

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack
61000/tcp open  unknown syn-ack
​
​
anonymous login enabled. Found .hannah directory.
id_rsa found. 
changed the permission of the file to 600 and logged in as hannah! 
Ran the LinPeas.sh and found interesting SUID & SGID bits
​
With cpulimit binary's SUID permission, I was able to easily become root. 
​https://gtfobins.github.io/gtfobins/cpulimit/​
with mawk, I was able to read /etc/shadow but I wasn't able to directory root the system with it. (I also tried to unshadow the password, but no luck here as well)
​
http
Cyber Sec Labs
Last modified 10mo ago