Task:
SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’. Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’.
Move Laterally to User2
SSH into the machine with the given credentials for user1. Check commands that can run as sudo without the password by using sudo -l
Seeing that user2 can run /bin/bash as root, run the sudo -u user2 /bin/bash command to start a new shell as user2. This allows us to cat the flag.txt file from user2’s home directory.
Escalate to Root
Then, to pivot to the root user check the file permissions for the ssh keys. Running ls -la on the root directory ssh key reveals that the regular user has access to read the root ssh key. Read the private key with cat /root/.ssh/id_rsa and copy and save locally.
I used touch to create an id_rsa file and open with vim to paste the contents of the root ssh key. To paste in vim use “+p and the clipboard contents will be pasted in. To save and quit use :wq
Then, change the permissions on the id_rsa file using sudo chmod 600 id_rsa so the server accepts it and is not overly permissive. Once you have ssh’d in to the server cat the /root/flag.txt file to read the contents and submit the flag!
