P'Hack 2021 - pwn (64 pts).
Written by BisBis.
First we connect via ssh with given login/password
We when connect, we are prompted with a message :
I checked the rights on the flag file :
We can see that only user master can read the file. It means that we have to do some kinds of privilege escalations in order to read the file.
First thing that come to my mind is to check if there is some commands that we are able to run as others users.
We can see that sudo command is not found, it means that it might have been blocked from system administror.
Let’s try to enumerate all binaries having SUID permissions by using following command :
find / -perm -u=s -type f 2>/dev/null
For further explanation on the command, i’ll suggest you to check the documentation given in the end of my write-up.
And look what we got !
What does it mean ? It simply means that we can run python3.8 with the user id of root.
From now it’s pretty easy to get the flag :