This is a Linux machine with SSH and Web services enabled, we notice strong hints on the homepage that we need to perform base64 encoding. After base64-encoding the wordlist used for web enumeration, we obtain an encrypted SSH private key. Using john the Ripper along with the password hint on the homepage(requiring base64 encoding), we quickly obtain the decryption key and gain a foothold on the system.

Then we discover that the initial user-configured sudo rules allow us to exploit the base64 utility to read arbitrary files, thereby obtaining the root user's SSH private key and gaining full system privileges.

This is a Linux machine with SSH, Web, and Samba services enabled. During web directory enumeration, we did not discover any useful clues, so we moved on to the Samba service. Fortunately, in one of the shares, we found that it exposed the root directory of the web service, which allowed us to upload a web shell and gain an initial foothold on the system.

After performing basic system enumeration (such as checking sudo rules and SUID files), we discovered that gdb was configured with the SUID bit set and owned by root. By leveraging gdb's scripting capabilities, we were able to execute commands with elevated privileges and utimately obtain root access.

This is a Linux machine with FTP, SSH and Web services there, but anonymous login is disabled for FTP. Fortunately, through web directory enumeration, we discovered a hidden_text file that provided us with a custom wordlist. Using this wordlist for a second scan, we found the FTP service credentials in a leaked pwned.vuln file.

With these credentials, we obtained ariana's SSH private key and gained an initial foothold on the system. By reviewing this user's sudo rules, we discovered that command injection could be exploited to pivot to the user selena. Since this user belongs to the docker group, we were able to mount the system's root directory into a container and utimately gain root privileges.

This is a Linux machine with SSH and Web services enabled. By inspecting the robots.txt file, we discovered a special directory named shehatesme, which provided hints for a batch of username/password credentials. We used these credentials to brute-force SSH access and successfully gained an initial foothold on the system.

Based on a hint from the machine's name, we searched for files which the SUID bit set and found a root-owned executable called suidyyyyy. However, this binary could not be directly exploited. In fact, it calls setuid(1001) to switch to another user before spawning a bash shell.

Fortunately, the initial user we compromised, theuser, belongs to a group that has write permissions on this file. Using pspy, we discovered that the root user runs a cron job every minute to reapply the SUID bit to this file. Taking advantage of this, we compiled our own executable containing setuid(0);system("/bin/bash"); and replaced the original suidyyyyy binary with it. After waiting for the cron job to restore the SUID bit, we executed the modified binary and successfully obtained a root shell.

This machine only provide SSH and Web services for us. The only interesting thing is that this web service reminds us not to overthink it - it's incredibly simple.

Besides the web service, the only thing left is SSH. Based on this hint, I plan to try some common credentials to brute-force this service. Fortunately, I successfully obtained the root user credential.