Read my writeup for dynstr machine on:
TL;DR;
User: Founding RCE on no-ip.com API, Get shell as www-data
user, From www-data
we found SSH private key on /home/bindmgr
directory inside strace-C62796521.txt
file.
Root: By running sudo -l
we found we can run the following script as a root /usr/local/bin/bindmgr.sh
, The script copies file as a root, By creating ln
to /root/root.txt
we can read the root flag.