Linux Local Privilege Escalation - Skills Assessment

Is there someone who finish this Academy. Because I need help about this?

1 Like

Is there someone who can help?

1 Like

Type your comment> @Gocka said:

Is there someone who can help?

I hint you somethings! we have 5 flag !

first: you SSH to target with user: htb-student —> you will get the flag1, you should enumerate all things into home folder of this user
*reading hint of lab for this

Second: you must escalate to user who have permission for reading the flags (flag2, flag3)

  • Reading again “Privileged Groups” section
  • Please review the permission of users and try to read some files with the permission what you owned.
    ----------> you will get some sensitive information to next processing

Third: With the hint of lab that tell you should enumerat all external services are running on target! Flag4!
so, what are external services those you think?, trying hard, and enumerating and read all files relate to external services with your permission (user and group permission)
—> you will find out sensitive information, but with flag4, you must escalate to right permission, I think you must exploit the target machine with right external service

Fourth: Flag5, easy for it! with root permission

  • Reading something about “Privilege Escalation”, try to enumerate manually
1 Like

Hi,I already found external service on target machine and found some sensitive information for this service and went to admin page. But how can I use this external service to read flag4. By file inclusion or other method? Is there anybody can give me some hints? Thanks

1 Like

You should enumerate the target with your user permission, Keep your mind, the service you’re targeting, you will find out the credential for logging the service after you have to exploit it to get the right permission and read the flag4

Ok, i’m seriously stuck on the last flag, any hints? Edit: omg i’m an idiot, an unexpected user could execute privileged commands. Good course!

1 Like

Someone can help me about the last flag?
I use the t…t credential with reverse shell.
I can’t get privilege escalation.

Check what commands that user can run. :slight_smile:

1 Like

I check the command with sudo -l but I don’t find the solution for this.

1 Like

GG for arachn1d

Hi friends, im on user whose managed the web app, you know, i have flag 4, this user can do a command , i have used sudo trying preload, but im not allowed yo know, could yo throw me some clues? thanks

Same issue as dstnat. I have flag4. I know the command this user can do as sudo. I’ve looked up GTFOBin for this command and ran it (as well as a dozen other variations), but still am not able to get root. Any other clues would be appreciated. Yesterday I tried compiling a file to use with a with ld preloader and packed it in .war uploaded, unzipped and was not able to run either. Been stuck here for 3 days. Help!

1 Like

Stuck on this… any clue?

theres somebody could help? thanks in adavance

hi there. the user to access the tomcat manager, is it tomcat or a different user?
I am digging on log files and conf files accessible by user barry/group adm, but no luck

never mind, I’ve found it. I think I mistyped on my first attempt

Hey, I;ve just got flag5. if you got flag4, the way to flag5 is not hard, but tricky.

1 Like

Just solved this. To anyone stuck at this place. The only hint I think I would give in public is to notice that your reverse shell isn’t fully interactive. It is possible and necessary to have a fully interactive tty shell.


Any hints for flag4? Pulling my hair out with it at the moment and getting nowhere :confounded: :confounded: :confounded: No matter…I have it…I was focusing too much on the one thing :roll_eyes: :roll_eyes: :roll_eyes:

Yes, I am also stuck at flag4. I pivoted to user Barry, who is adm group member. Found nothing in the logs. To read flag4, tomcat user privileges are required. I have no idea where to go from here. Pivot to tomcat service role?