ShellDredd #1 Hannah Walkthrough

Updated On: 09/05/2020

This is another VulnHub walkthrough and you can download it here.

Initial Scan

nmap scan

The scan results showed port 21 open with FTP (with anonymous login) and port 61000 open with ssh.

Port 21 - FTP

After logging in as the anonymous user, I couldn't find anything with a simple ls command, but ls -la showed a directory called ".hannah" that looked interesting.

ftp listing

I found out that you can do a wget command to download everything off of an FTP server. Source website here

wget -m ftp://anonymous:anonymous@ip_of_machine

With that, we find out that ".hannah" has her private ssh key. Bingo!

hannah private key

Port 22 - SSH

We can use the private key we found to login to the machine. Make sure you change the permissions of the file first, or else you'll get an error like I did in my screenshot below. The user flag is located in Hannah's folder.

ssh login

Privilege Escalation

I like to check SUID because that's a low hanging fruit. You can check this with the command below:

find / perm -u=s -type f 2>/dev/null

Pardon the below screenshot being ran as root, I forgot to take this until after I gained access to the machine. I highlighted "/usr/bin/mawk" because that was the one I used to gain access to the machine.

SUID options

I used GTFObins as a reference for this and linked it here.

root flag

To explain, I used this website as a reference and the command listed in GTFObins to edit the /etc/shadow file and get root access to the machine. Easy peasy!

Check out my other pen testing walkthroughs here