This is a Linux machine with FTP and Web service enabled, which leak web root directory for FTP configuration mistake. Additionally, it filters out common extensions for PHP, but not all! (I find php5 could be exploited).

After login with www-data user which is a unprivilege user for web manager, I discover a SUID hidden program which allow me to pivot to another normal user markos. Then I follow the instructions on the webpage(/note.txt) to locate a JPG image. Analysis reveal that it contains a hidden pass.txt file using steganography. Unfortunately, I am wrong from the start - the password is actually the image's name. Then I successfully privot to user marta, who leaves hints for us on web page. Finally, I discover a sudo rule which allow me to leverage LOTL(Live on the land) to read arbitrary files. For get a root shell, then I try to read the ssh key and /etc/shadow of system. Luckily, the shadow is here for me. After crack it with john. I successfully privot to another user, there's also a sudo rule for LOTL, but this time, it allow me to spawn a root shell!

This is a Linux machine with only Web services enabled, we could upload a webshell by controlling the directory parameter of the upload API endpoint. Then we gain the initial foothold of the system.

Then we discover there is a sudo rule for our initial user which allow it to execute /bin/cp with another user. And there is a ssh service only for localhost, but we could forward it by port mapping. After that we pivot to another user by leveraging /bin/cp to write our ssh public key to authorized_keys. Finally, we get the root shell or read arbitrary file via LOTL(Live off the land) technique. Here is the /bin/man.

This is a Linux machine with only FTP service enabled at first. And then SSH and Web services will open after I knock ports from the secrets which leak by FTP. After that I obtain the user name from web secret and the password for that user within the FTP hidden file, with this credential, I gain an initial foothold on the system.

Then I find a special executable(capsh) with SUID bit set, which could be exploited to get the root shell.

This is a Linux machine with FTP, SSH, Web and TFTP services enabled. We find the id_rsa of user alexia via the hints from homepage of web service, thereby we gain an initial foothold on the system.

Then we could obtain the root's id_rsa by exploiting a special SUID program, which allow us to compromise the system.

This is a Linux machine with only the Web service enabled. By exploiting the leaked Google Authenticator secret in the source code, we gained control over OTP generation, thereby obtaining a code execution environment. Simple reconnaissance revealed it to be a Python execution environment with import keyword filtering. However, this could be bypassed using basic built-in operations, Ultimately, we established a foothold on the system via a reverse shell.

We subsequently identified a special program belonging to the root user with SUID bit set. By exploiting a simple stack overflow vulnerability to manipulate a varible, we privot to a regular user account on the system. Within that user's home directory, we discovered a special executable file. Through analysis, we obtained the root user's password.