Privilege Escalation

Hello Guys,

Need a quick help with the privilage escalation module questions “SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.”

First I tried running the command $ sudo su user2 - but I got the error “Sorry, user user1 is not allowed to execute ‘/usr/bin/su user2’” so I think I need to escalate my privilage first.

I downloaded the linpeas.sh script on my original host, started a http server on this host and tried to download the script on the remote server using tun0 interface IP but I am stuck now as the remote server can’t connect to the host and keeps timing out.

Any ideas on how to solve this question or what am I missing?

I haven’t done this module so I don’t know the answer here, however, I can make some general comments.

  • I think moving from user1 to user2 is privilege escalation, I don’t think you need to elevate in order to move as such.
  • In general, enumeration is the key for Linux privesc. There are lots of ways to switch users and you can switch su without sudo.
  • Look for files with passwords such as bash history, configuration files, etc. This is often a good way to see if there are some credentials lying around you can reuse.
  • Check running processes to see if anything is badly configured.
  • Look for files your account shares with the target account (check group membership, then use something like find / -group WHATEVER 2>/dev/null to see what exists)
  • Look for files owned by the target account which are readable to you (find helps again)

As it is an academy box, there should be some clues/guidance in the training material around in the module.

1 Like

Read the Hint —CHMOD

i believe this should help anyone who needs it… please do not hesitate to write at me for questions.

1 Like

Hi,
I’ve got one question?
have you ever tried this yourself?
because this → “Step 6: use this command to view the /flag.txt fileexample; cat flag.txt”
does not work.
regards

SORRY - DISREGARD PLEASE