Linux Previlige Escalation-->Escaping Restricted shells

  1. check all command can exec: compgen -c
  2. In there can find 3 command popular: echo read printf can search google or ask AI how to read file.

If you try to put flag.txt after that option, you will see content of the file.

echo $PATH
/home/htb-user/bin

echo /home/htb-user/bin/*
/home/htb-user/bin/man

man -h
-C, --config-file=FILE use this user configuration file

man -C flag.txt
man: can’t parse directory list `HTB{3…icte…311}

man: can’t make sense of the manpath configuration file /etc/manpath.config

:expressionless: