This is a Linux machine with only FTP service enabled at first. And then SSH and Web services will open after I knock ports from the secrets which leak by FTP. After that I obtain the user name from web secret and the password for that user within the FTP hidden file, with this credential, I gain an initial foothold on the system.

Then I find a special executable(capsh) with SUID bit set, which could be exploited to get the root shell.

This is a Linux machine with FTP, SSH, Web and TFTP services enabled. We find the id_rsa of user alexia via the hints from homepage of web service, thereby we gain an initial foothold on the system.

Then we could obtain the root's id_rsa by exploiting a special SUID program, which allow us to compromise the system.

This is a Linux machine with only the Web service enabled. By exploiting the leaked Google Authenticator secret in the source code, we gained control over OTP generation, thereby obtaining a code execution environment. Simple reconnaissance revealed it to be a Python execution environment with import keyword filtering. However, this could be bypassed using basic built-in operations, Ultimately, we established a foothold on the system via a reverse shell.

We subsequently identified a special program belonging to the root user with SUID bit set. By exploiting a simple stack overflow vulnerability to manipulate a varible, we privot to a regular user account on the system. Within that user's home directory, we discovered a special executable file. Through analysis, we obtained the root user's password.

This is a Linux machine with SSH and Web services enabled, we notice strong hints on the homepage that we need to perform base64 encoding. After base64-encoding the wordlist used for web enumeration, we obtain an encrypted SSH private key. Using john the Ripper along with the password hint on the homepage(requiring base64 encoding), we quickly obtain the decryption key and gain a foothold on the system.

Then we discover that the initial user-configured sudo rules allow us to exploit the base64 utility to read arbitrary files, thereby obtaining the root user's SSH private key and gaining full system privileges.

This is a Linux machine with SSH, Web, and Samba services enabled. During web directory enumeration, we did not discover any useful clues, so we moved on to the Samba service. Fortunately, in one of the shares, we found that it exposed the root directory of the web service, which allowed us to upload a web shell and gain an initial foothold on the system.

After performing basic system enumeration (such as checking sudo rules and SUID files), we discovered that gdb was configured with the SUID bit set and owned by root. By leveraging gdb's scripting capabilities, we were able to execute commands with elevated privileges and utimately obtain root access.