It’s a very great exercise. There are two ways to solve 1. brute forcing; use grep and 2. Artist way; use the other user.
PrivEsc does not always means going directly to the ROOT! Taking over some other user account is also a PrivEsc!
can u help me with the command,iam trying this from 1hr and seems like the content in this module isnt helping
1 Like
Exactly. there is that hidden file, modified in 2023 but I don’t know how to open it. Were you able to open it?
A couple things that could help:
- sudo -l (L small letter)
- GTFOBins.github.io
Look for accounts on the victim machine with files with NOPASS access for sudo.
You can use these files to escalate privilege in various ways.
1 Like
The only file I can use from sudo with htb-student is ncdu, nothing useful.
On GTFO there are vulnerabilities for ncdu, but when I run it as sudo it doesn’t give me permission to run it. it’s strange
When I use sudo -l it prints me :
(ALL, !root) /bin/ncdu
Just this, could you give me a hand?
Remember you can use sudo to run as a different user.
Once you’ve done that explore the files that are available on the other user’s desktop and look at the files mentioned.
Try to start by analyzing the contents of users’ home directories, as they often contain sensitive data. Pay attention to files that may contain passwords, keys, configuration files or other sensitive information. These can be files like .bash_history, .ssh, .gnupg, .aws, .mysql_history, .viminfo and others. Also pay attention to the contents of the /etc and /var directories, where configuration files and system logs may be stored. Additionally, check for hidden files and directories using the ls -a command.
the way i’ve solved that one:
- i checked what users are on that machine
- i checked what the current htb-student user is allowed to run as another user
- i checked online if there’s a way to escalate privilege through that only binary allowed. there is
- i escalated priviledge
- i read through the second user’s home files. one file tells me what the second user edited recently
- i checked the content of that file
2 Likes
I still cannot figure this out. I have found the NCDU binary and have tried all the commands on the GTFO bins website. Could you provide some more assistance please? What do you mean by " i checked what the current htb-student user is allowed to run as another user?" As far as I can tell you cannot run another user.
Thank you so much! That last part with the sudo -u is the part I was missing. I appreciate the walkthrough.
yeah. we got so used to using sudo without any user argument 
have fun!
1 Like
I (think?) ive found the flag. Its under
/root/flag.txt right? You should submit the whole HTB{flagcontent} right? I cant get it to be passed as correctly. tried both via vpn on my own machine and the pwnbox-web-thingie.
opened a ticket so iguess i will se if im doing it wrong or if its actually something thats wrong on htbs side. But its weird when other have gotten it right?
Hope im not spoiling for anyone here, i dont think so - but im gonna blur anyway 
I have been stuck for a while (2 hours). Would you be kind as to point in the right direction.
Hello, I have been trying to get this part done but have not been successful, any pointers that I can get?
Thank you.
I found it.
I found a flag, but it dosent mark it like correct.
I dont know if there is two flags?
Question: Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.
It is very simple, use grep on recursive mode with keyword flag, as “HTB{”, specificing the first path on system. The root system path.
Free dm if someone need help.
3 Likes
thanks man, u r my savior =D this was a pain in D A$$!
1 Like
This is the first lab for the module and it was very interesting. It took me a few hours to figure it out. Like some mentioned above, it did not give us the flag convention and how would we figure how to grep it.
I could use grep to get the flag but it should not be the intention of this section. After battling a few hours with this, I was able to escalate the privilege to a different user. From there, I was able to break out from restricted environments by spawning an interactive system shell. It was a matter of time to find the flag from here.
Have fun haking folks!