mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Create envil.md
This commit is contained in:
parent
e21a1358a5
commit
a22b6ef139
1 changed files with 52 additions and 0 deletions
52
echoCTF/envil.md
Normal file
52
echoCTF/envil.md
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
# echoCTF - Anvil
|
||||||
|
|
||||||
|
This is an OS category challenge in which we are provided an IP address and a port to conenct using `nc`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/2yvvZOl.png"/>
|
||||||
|
|
||||||
|
We can find the first flag by printing the evnironmental variables using `env`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/pZSPZEI.png"/>
|
||||||
|
|
||||||
|
## Privilege Escalation (silver)
|
||||||
|
|
||||||
|
Running `sudo -l` we can see that we are user `copper` and we can run `/sbin/debugfs` as `silver` user
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/yRvltDQ.png"/>
|
||||||
|
|
||||||
|
In this user's directory we can find the first flag
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/BjuWPg5.png"/>
|
||||||
|
|
||||||
|
## Privilege Escalation (gold)
|
||||||
|
Next we can again run sudo -l to see which commands we can run as other user and here we can run `/usr/bin/sftp` with `gold` user , now in order to escalate we need to have a ssh port running but here we can't open that port as we need root privileges so we can open ssh port on our host machine
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/KsP1RAz.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/jWUGxFL.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/R3bm2gU.png"/>
|
||||||
|
|
||||||
|
Following GTFOBINS we can spawn a bash shell
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/xTJtY8a.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/u7fmZqU.png"/>
|
||||||
|
|
||||||
|
And in gold's home directory we can get the second flag.
|
||||||
|
|
||||||
|
## Privilege Escalation (ETSCTF)
|
||||||
|
|
||||||
|
Doing sudo -l again we can see that this user can run `/bin/bzless` as `ETSCTF` user
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/Xul6cMm.png"/>
|
||||||
|
|
||||||
|
bzless is similar to `less` binary but it's for viewing bzip2 compressed text so we can try to pass a filename to it and then privesc similar to less
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/uZ1ul2D.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/EBAEmwP.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/uIBSEoD.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/ecmDVEt.png"/>
|
Loading…
Reference in a new issue