This is a Linux machine with FTP, SSH and Web services there, but anonymous login is disabled for FTP. Fortunately, through web directory enumeration, we discovered a hidden_text file that provided us with a custom wordlist. Using this wordlist for a second scan, we found the FTP service credentials in a leaked pwned.vuln file.

With these credentials, we obtained ariana's SSH private key and gained an initial foothold on the system. By reviewing this user's sudo rules, we discovered that command injection could be exploited to pivot to the user selena. Since this user belongs to the docker group, we were able to mount the system's root directory into a container and utimately gain root privileges.

This is a Linux machine with SSH and Web services enabled. By inspecting the robots.txt file, we discovered a special directory named shehatesme, which provided hints for a batch of username/password credentials. We used these credentials to brute-force SSH access and successfully gained an initial foothold on the system.

Based on a hint from the machine's name, we searched for files which the SUID bit set and found a root-owned executable called suidyyyyy. However, this binary could not be directly exploited. In fact, it calls setuid(1001) to switch to another user before spawning a bash shell.

Fortunately, the initial user we compromised, theuser, belongs to a group that has write permissions on this file. Using pspy, we discovered that the root user runs a cron job every minute to reapply the SUID bit to this file. Taking advantage of this, we compiled our own executable containing setuid(0);system("/bin/bash"); and replaced the original suidyyyyy binary with it. After waiting for the cron job to restore the SUID bit, we executed the modified binary and successfully obtained a root shell.

This is a Linux machine with web service provided by WordPress which has a SSRF vulnerability to leak the credentials for web user.

After login into the system as web user, we obtains the hash of the password of another normal user. Subsequently, we utilized forensic techniques to move laterally across users on the system. Ultimately, we discovered that user xavi had configured a sudo rule allowing passwordless execution of arbitrary programs, effectively granting root privileges.

This machine provide a remote Python REPL environment via a SimpleHTTP service.

We just gain initial access by constructing a simple Python version of a reverse shell.

After conducting a thorough search of the system (targeting users with login shells), we discovered that one user maintained a Git repository containing their login credentials. Subsquently, uncovered clues within the Git logs pointing to the remote REPL environment. This led us to further fuzz the environment hidden endpoint and its password, ultimately gaining root privilege.