OnSystemShellDredd

  1. Started by running a TCP scan via Nmap.

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-05 11:55 IST
Nmap scan report for 192.168.192.130
Host is up (0.075s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.45.243
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA)
|   256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA)
|_  256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.89 seconds

  1. A FTP server on port 21 and SSH on port 61000 was found.

FTP Enumeration

  1. As anonymous login was available I connected to the FTP server.

  2. I listed the contents of the working directory and found a .hannah hidden directory.

  1. I checked the directory and found a SSH key inside.

  1. I downloaded it and checked if it had a password that needed to be cracked via John. But luckily no passphrase was required.

SSH and Privilege Escalation

  1. I connected to the target's SSH via the key obtained in the previous step.

  1. There I found the first flag in local.txt .

  1. Next I started to enumerate the system for privilege escalation. I tried looking for vulnerable SUID binaries and found the following bins available.

  1. The next obvious step was to check GTFO bins.

  2. I found that exploits were available for th mawk binary. I searched online regarding this binary just to know more and found that it was an interpreter for AWK programming language which is commonly found on Unix based systems. More can be read about it on Wikipedia https://en.wikipedia.org/wiki/AWK.

  3. I tried out all the exploits listed for mawk but none of them gave me a privileged shell. Moreover sudo wasn't available on the target too.

  4. I looked around more and saw that cpulimit was another binary that was available on GTFObins. https://gtfobins.github.io/gtfobins/cpulimit/

  5. I tried the SUID exploit listed in it and successfully got a root shell.

  1. The next step was obtaining the flag which was available in the proof.txt file.

PreviousCyberSploit1NextInfosecPrep

Last updated