Nmap never was so important on a machine, thorough scans lead to user access, then pivoting thanks to a backup of the shadow file cracked with John. Finally, get the root hash with wget posting files as data.
Best machine I’ve rooted on HTB. Cool way of getting to user to pickle and then lots of creativity to extract data and get to user!
Various write-ups from IceCTF web challenges
Various write-ups from IceCTF forensics challenges
Cool deserialization flaw that allows to get a shell. Then just use dirty cow to get the root hashes.
Heartbleed bug leads to RSA exposed key being decrypted, which in turn leads to root through an open tmux session owned by root.
Simple rooting thanks to default passwords and file privilege misconfigurations.
File left on web server and cool ssh port forwarding to access a VNC service running as root.
A PHP shell on a website is not always a good idea. Neither is a cron job running as root…
Psense firewall vulnerable that leads to a RCE granting root access. Simple.