This is a Linux machine with SSH and Web services enabled. By inspecting the robots.txt file, we discovered a special directory named shehatesme, which provided hints for a batch of username/password credentials. We used these credentials to brute-force SSH access and successfully gained an initial foothold on the system.

Based on a hint from the machine's name, we searched for files which the SUID bit set and found a root-owned executable called suidyyyyy. However, this binary could not be directly exploited. In fact, it calls setuid(1001) to switch to another user before spawning a bash shell.

Fortunately, the initial user we compromised, theuser, belongs to a group that has write permissions on this file. Using pspy, we discovered that the root user runs a cron job every minute to reapply the SUID bit to this file. Taking advantage of this, we compiled our own executable containing setuid(0);system("/bin/bash"); and replaced the original suidyyyyy binary with it. After waiting for the cron job to restore the SUID bit, we executed the modified binary and successfully obtained a root shell.