HTB Academy > Linux Privilege Escalation > Privileged Groups


I am stuck for a week+ on module Linux Privilege Escalation on Privileged Groups. I am able to escalate to root but dont understend how to find flag.

This is question: Use the privileged group rights of the secaudit user to locate a flag.
Hint: Grep within the directory this user has special rights over.

Hey Brother — I have been stuck on this question as well. I have looked through all the directories associated with the “adm” group but have been unable to find the flag.

If I could get a nudge it would be greatly appreciated :slight_smile:

Do you have any hints for this module? I’m also able to escalate to root, looked through all directories associated with the “adm” group but nothing yet. I also looked if there is anywhere some kind of path abuse where the “grep” command would be overwritten to return the flag but also here i didn’t find anything.
I would really appreciate some hints what to do after the privilege escalation.

Hi, I’m not sure if this is the correct way of doing it but I was able to get the flag. You don’t need to escalate to root either.

You can use “find” to search for files/directories that belong to the adm group. Once you’ve done that then you can use grep to search all files that contain the word flag within the directory that was listed from your first find command. Also the ADM section within the module will point you in the right direction for the directories.

Hope that helps


Hi, try to enumerate as the “hint” button say, in the /**r/l*g. You can find interesting files and services folders

1 Like

My hints:


find /var/log/ -group ***

1 Like


cd /var/log
grep -ri flag

enter the value after flag%20=%20

good luck


@root79 Thank you for the help. I found the solution but do not understand… can you explain me why this flag is found in the log? How did you come to lookup that folder?

@R-b3n Go through the documentation for that exercise.
" Members of the adm group are able to read all logs stored in /var/log"

When you ran id command, you see the group adm, which should tip you off to look at that directory.

As for why he grepped for “flag”. In HTB, there are a few keywords you want to look for when searching for the flag. ‘HTB{’ and ‘flag’ are a few examples.

Hi, I spent a huge amount of time trying to figure out how to raise my rights from the user “htb-student” to “secaudit”!!!
The task says, “SSH to with user htb-student and password”, and then the question itself:
“Use the rights of the privileged group of the secaudit user to find the flag.”
I puffed and sweated to find the vulnerability and make myself “secaudit”, but nothing came out.
I just decided out of desperation to switch to this user and use the password from “htb-student”.
BUT!!! Why was it not said in the assignment to immediately connect as a “secaudit” user!!!
Or to say that after connecting as an “htb-student”, switch to the “secaudit” user!!!
I thought this was part of the task, first to find a way to raise my rights to “secaudit”, and then apply the privileges of his group.
I wrote this for those guys who got into a situation like me))


agreed this was poor way to word it/give instructions. Actually entire linux section so far has seemed subpar to all the other modules in CPTS path

wow that one was really bullshit lol

1.- verify id → id → shows group i am part of
changue the default group
2.- newgrp adm

3.-find files that adm has access to → grep root for root perm
4.-find / -type f -group adm 2>/dev/null | xargs ls -l 2>/dev/null | grep adm | grep root
try a grep with each one
5.-cat /var/log/apache2/access.log | grep -I flag

you will know

1 Like