OffSec PG - OnSystemShellDread


Machine IP →

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3 → Anonymous login allowed
61000SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)


Looking at the anonymous ftp, there was a directory .hannah inside which was an ssh key. Used this key for the user hannah on the ssh server grants the shell as hannah. This gave the user flag.

Privilege Escalation

Looked at the setuid binaries on the system, cpulimit was the interesting one. It can be ised to spawn a shell with elevated privileges using command → cpulimit -l 50 -f /bin/bash. However, with this, the program detects that the program being run has lower privileges, so bash drops the elevated privileges. Usually, bash has a flag -p, the purpose of which, as stated in the man page of bash is →

If  the  shell is started with the effective user (group) id not equal to the
real user (group) id, and the -p option is not supplied, the effective user id
is set to the real user id. Otherwise, the effective user id is not reset.

Therefore, a privileged shell can be launched as follows → cpulimit -l 100 -f -- /bin/sh -p. This gives the root shell and thus, the root flag.

This post is licensed under CC BY 4.0 by the author.