python -c 'import pty; pty.spawn("/bin/bash")' spawn another shell and make it interactive
We're using find to search the volume, by specifying the root (/) to search for files named "id_rsa" which is the name for private SSH keys, and then using 2> /dev/null to only show matches to us.
find / -name id_rsa 2> /dev/null
The "Priv Esc Checklist"
Determining the kernel of the machine (kernel exploitation such as Dirtyc0w)
Locating other services running or applications installed that may be abusable (SUID & out of date software)
Looking for automated scripts like backup scripts (exploiting crontabs)
What type of privilege escalation involves using a user account to execute commands as an administrator?
vertical
What is the name of the file that contains a list of users who are a part of the sudo group?
sudoers
Use SSH to log in to the vulnerable machine like so: ssh cmnatic@10.10.6.64
Input the following password when prompted: aoc2020
No answer needed
Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
You may find uploading some of the enumeration scripts that were used during today's task to be useful.
https://gtfobins.github.io/gtfobins/bash/
No answer needed
Use this executable to launch a system shell as root.
What are the contents of the file located at /root/flag.txt?
