Exploring the System as User

To get root, we will need a proper user shell. Taking the lua exploit we used to print the user flag, we will do the same thing to echo our public ssh key into /home/sysadmin/.ssh/authorized_keys and then login as sysadmin.

Screenshot_20200403_030730.png

running /bin/bash will give us a bash shell, and then upload pspy64 script for quick enumeration.

letting that run for a bit, we see that there are files from /var/backups/.update-motd.d/ getting copied every 30 seconds to /etc/update-motd.d/

Seeing the message of the day from Xh4H displayed during login, we will head to /etc/update-motd.d and find out that the files are owned by root user and group owned by sysadmin. We also see that group users get full access to read write and execute these files.

Screenshot_20200403_031352.png