I am stuck for a week+ on module Linux Privilege Escalation on Privileged Groups. I am able to escalate to root but dont understend how to find flag.
This is question: Use the privileged group rights of the secaudit user to locate a flag.
Hint: Grep within the directory this user has special rights over.
Hey Brother â I have been stuck on this question as well. I have looked through all the directories associated with the âadmâ group but have been unable to find the flag.
If I could get a nudge it would be greatly appreciated
Do you have any hints for this module? Iâm also able to escalate to root, looked through all directories associated with the âadmâ group but nothing yet. I also looked if there is anywhere some kind of path abuse where the âgrepâ command would be overwritten to return the flag but also here i didnât find anything.
I would really appreciate some hints what to do after the privilege escalation.
Hi, Iâm not sure if this is the correct way of doing it but I was able to get the flag. You donât need to escalate to root either.
You can use âfindâ to search for files/directories that belong to the adm group. Once youâve done that then you can use grep to search all files that contain the word flag within the directory that was listed from your first find command. Also the ADM section within the module will point you in the right direction for the directories.
@root79 Thank you for the help. I found the solution but do not understand⌠can you explain me why this flag is found in the log? How did you come to lookup that folder?
@R-b3n Go through the documentation for that exercise.
" Members of the adm group are able to read all logs stored in /var/log"
When you ran id command, you see the group adm, which should tip you off to look at that directory.
As for why he grepped for âflagâ. In HTB, there are a few keywords you want to look for when searching for the flag. âHTB{â and âflagâ are a few examples.
Hi, I spent a huge amount of time trying to figure out how to raise my rights from the user âhtb-studentâ to âsecauditâ!!!
The task says, âSSH to with user htb-student and passwordâ, and then the question itself:
âUse the rights of the privileged group of the secaudit user to find the flag.â
I puffed and sweated to find the vulnerability and make myself âsecauditâ, but nothing came out.
I just decided out of desperation to switch to this user and use the password from âhtb-studentâ.
BUT!!! Why was it not said in the assignment to immediately connect as a âsecauditâ user!!!
Or to say that after connecting as an âhtb-studentâ, switch to the âsecauditâ user!!!
I thought this was part of the task, first to find a way to raise my rights to âsecauditâ, and then apply the privileges of his group.
Agrrrrhrrr!!!
I wrote this for those guys who got into a situation like me))
1.- verify id â id â shows group i am part of
changue the default group
2.- newgrp adm
3.-find files that adm has access to â grep root for root perm
4.-find / -type f -group adm 2>/dev/null | xargs ls -l 2>/dev/null | grep adm | grep root
try a grep with each one
5.-cat /var/log/apache2/access.log | grep -I flag