From 9255a4198d632193477af61e0ecd25e7a28f3fbd Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 4 Dec 2021 19:25:52 +0500
Subject: [PATCH] Create cretin.md

---
 echoCTF/cretin.md | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 echoCTF/cretin.md

diff --git a/echoCTF/cretin.md b/echoCTF/cretin.md
new file mode 100644
index 0000000..666f2d2
--- /dev/null
+++ b/echoCTF/cretin.md
@@ -0,0 +1,42 @@
+# echoCTF - Cretin
+
+We can find the first flag by printing the environmental variable `env`after connecting with `nc`
+
+<img src="https://i.imgur.com/W3pfD6y.png"/>
+
+## Privilege Escalation (dribble)
+
+Running `sudo -l` we can see that this user can run`ed` binary as `dribble` user
+
+<img src="https://i.imgur.com/yUcCpkO.png"/>
+
+So looking at GTFOBINS 
+
+<img src="https://i.imgur.com/xCVTDQ4.png"/>
+
+<img src="https://i.imgur.com/gH0MIhH.png"/>
+
+## Privilege Escalation (scribble)
+Again running sudo -l we can see this user can now run `capsh` binary as `scribble` user
+
+<img src="https://i.imgur.com/CKRs4Zu.png"/>
+
+<img src="https://i.imgur.com/CQCgPnI.png"/>
+
+## Privilege Escalation (ETSCTF)
+
+This is the last priv esc that we need to do , we can run `whiptail` as `ETSCTF` user
+
+<img src="https://i.imgur.com/d0E4RS4.png"/>
+
+<img src="https://i.imgur.com/epD2yyq.png"/>
+
+Running that we will get ambiguous redirect , so this isn't actually a binary but a script which is running the actual whiptail binary
+
+<img src="https://i.imgur.com/YnGY3XY.png"/>
+
+We just need to specify the file name to read as the privesc is already included here 
+
+<img src="https://i.imgur.com/3plgxnf.png"/>
+
+<img src="https://i.imgur.com/VfmywhW.png"/>