This is a Linux machine with FTP, SSH, Web and TFTP services enabled. We find the id_rsa of user alexia via the hints from homepage of web service, thereby we gain an initial foothold on the system.

Then we could obtain the root's id_rsa by exploiting a special SUID program, which allow us to compromise the system.

This is a Linux machine with only the Web service enabled. By exploiting the leaked Google Authenticator secret in the source code, we gained control over OTP generation, thereby obtaining a code execution environment. Simple reconnaissance revealed it to be a Python execution environment with import keyword filtering. However, this could be bypassed using basic built-in operations, Ultimately, we established a foothold on the system via a reverse shell.

We subsequently identified a special program belonging to the root user with SUID bit set. By exploiting a simple stack overflow vulnerability to manipulate a varible, we privot to a regular user account on the system. Within that user's home directory, we discovered a special executable file. Through analysis, we obtained the root user's password.

This is a Linux machine with SSH and Web services enabled, we notice strong hints on the homepage that we need to perform base64 encoding. After base64-encoding the wordlist used for web enumeration, we obtain an encrypted SSH private key. Using john the Ripper along with the password hint on the homepage(requiring base64 encoding), we quickly obtain the decryption key and gain a foothold on the system.

Then we discover that the initial user-configured sudo rules allow us to exploit the base64 utility to read arbitrary files, thereby obtaining the root user's SSH private key and gaining full system privileges.

This is a Linux machine with SSH, Web, and Samba services enabled. During web directory enumeration, we did not discover any useful clues, so we moved on to the Samba service. Fortunately, in one of the shares, we found that it exposed the root directory of the web service, which allowed us to upload a web shell and gain an initial foothold on the system.

After performing basic system enumeration (such as checking sudo rules and SUID files), we discovered that gdb was configured with the SUID bit set and owned by root. By leveraging gdb's scripting capabilities, we were able to execute commands with elevated privileges and utimately obtain root access.

This is a Linux machine with FTP, SSH and Web services there, but anonymous login is disabled for FTP. Fortunately, through web directory enumeration, we discovered a hidden_text file that provided us with a custom wordlist. Using this wordlist for a second scan, we found the FTP service credentials in a leaked pwned.vuln file.

With these credentials, we obtained ariana's SSH private key and gained an initial foothold on the system. By reviewing this user's sudo rules, we discovered that command injection could be exploited to pivot to the user selena. Since this user belongs to the docker group, we were able to mount the system's root directory into a container and utimately gain root privileges.