OnSystemShellDredd (easy)

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack
61000/tcp open  unknown syn-ack

anonymous login enabled. Found .hannah directory.

id_rsa found.

changed the permission of the file to 600 and logged in as hannah!

Ran the LinPeas.sh and found interesting SUID & SGID bits

With cpulimit binary's SUID permission, I was able to easily become root.

https://gtfobins.github.io/gtfobins/cpulimit/

with mawk, I was able to read /etc/shadow but I wasn't able to directory root the system with it. (I also tried to unshadow the password, but no luck here as well)

Previoushttp NextCyber Sec Labs

Last updated 1 year ago