TASK1: SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.
We connected to the target system using the provided credentials with the command ssh user@REMOTE_IP -p PORT. Let's navigate within the system to see our permissions. We observed that user1 does not have the permission to read the flag.txt file in the user2 account by using sudo -l
We understood that user2 does not require a password to execute the /bin/bashcommand.
After executing the command sudo -u user2 /bin/bash, we were able to read the contents of the file using cat flag.txt.
TASK2: Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’
We observed that as the root user, we have the permission to view the data but not write to it. Therefore, let’s shape our attack vector.
We saved the content of the root user’s id_rsa file to our own machine. Then, we authorized it using sudo chmod 600 id_rsa.
Note that we used the command ‘chmod 600 id_rsa’ on the key after we created it on our machine to change the file’s permissions to be more restrictive. If ssh keys have lax permissions, i.e., maybe read by other people, the ssh server would prevent them from working.
We connected to the target system as the root user via SSH using the command ssh root@REMOTE_IP -p port -i id_rsa.
