Type your comment> @TazWake said:
Somethings to consider:
- locate is (at least in my experience) really hit and miss. It frequently misses file on my local system because I dont keep the database up to date.
- each user account has set privs, if the account you are in doesn’t have privs to see the file, you might not be able to find it with other tools. Keep in mind what account is being used by which “exploit.”
- If you use the second account via the first bit, the output is muddy so it isn’t great for broad searching (targeted enumeration still works).
On this box, there is no need to hunt the flags. They are exactly where they should be.
Just rooted.
There is enough hints here already, but I would like to clarify some stuff.
I was a bit surprised about all those discussions about locate/grep/find. Everything seemed to be straightforward in this machine.
Also connectivity was not really a problem cause no rev or bind shell really needed.
One item required from the box can be very easy copied.
The most enjoyable part was actually the one with m**** hence getting first user. This part is very nicely described in public (google-fu) .A similar stuff can be found on one of machines in the lab where candidates for a very famous certification practice their skills -
The rest was also fine, but I used a small hint regarding which item needs to be copied for privesc (thank you @Noobish!!!). A little bit of r** gave me root on the machine.
Overall quite enjoyable.