P'Hack 2021 - pwn (128 pts).
Written by BisBis.
First we connect via ssh with given login/password
We when connect, we are prompted with a message :
I checked the rights on the flag file :
We can see that only user master can read the file. It means that we have to do some kinds of privilege escalations in order to read the file.
First thing that come to my mind is to check if there is some commands that we are able to run as others users.
We can see that we can use the zip command as master user withtout being asked for a password.
So I decided to check on google if a privilege escalation is possible with zip command and guess what… It’s possible! So let’s get into it
Let’s create a file in /tmp directory :
Then : sudo -u master zip /tmp/myzip.zip /tmp/test.txt -T –unzip-command=‘sh -c /bin/bash’
That’s it ! We’re master user so it’s time for us to get the flag :
Documentation : https://www.programmersought.com/article/14176332182/