# O9.1 Escalate your Privileges

Things are going well - you've gained initial access to another host on The Lucky Lion's network, but you have limited access with your current privileges. Let's open up a terminal and see if you can change that.

One of the easiest ways to run a command that you don't have permission to execute is to find a file that DOES have the right permissions and have it execute your command for you, all you have to do is find the right file!

**Flag Format** The file's name in name.extension format (e.g.: example.txt). You don't need to include the path.

**Objectives**

* Using the NARSH (Not A Real Shell) emulator, find a file with world writable permissions that executes as root.

**Tools Required**

* Web browser

**Additional Resources**

* [MITRE ATT\&CK](https://attack.mitre.org/tactics/TA0004/) 
* [RED HAT ](https://www.redhat.com/sysadmin/linux-file-permissions-explained/)
* [LINUX FOUNDATIONS](https://www.linuxfoundation.org/blog/blog/classic-sysadmin-understanding-linux-file-permissions/)

<https://target-httpd.chals.io/shell/privesc.html>\
\
Solution: Target created a fake bash shell that they call NARSH ("Not A Real SHell") and want us to find the file with the "world writable permissions".\
\
The first step is to enumerate the target. I took notes of each directory and what files were in them:\
\
**bin**: file: narsh r-x

**usr**: \bin \sbin usr\bin\ files: none usr\sbin\nologin r-x

**var:** \backups \spool \softhr \
var\backups\ files: none \
var\spool\cron\crontabs\ files: root and narsh \
var\softhr\logs\softhr.log

**etc**: \passwd \shadow \fstab (these are files not directories)

**root**: \ files: none

**tmp**: \ files: none

**home**: \narsh home\narsh\ Desktop, Documents, Downloads, Music, Pictures, Public, Videos home\narsh\Documents\readme.txt (when you cat it, it says "Good luck!")

**scripts**: and every file in \scripts says the following when you cat it:

`#!/bin/narsh`

`cp /bin/narsh /tmp && chmod +s /tmp/narsh`

It seems I should focus my attention on /scripts. But there's so many! How do I search them all? Especially when the fake shell doesn't have any search commands. (The fake shell also can't do cp or mv or chmod +s, though it lets you do chmod, mkdir, and ls.)\
\
I decided to copy-and-paste the output from the shell, create a text file of it in my Kali VM, so I can run "grep rw\.rw\.rw". But there's way more than one! You could try to submit each one, but that seems like the wrong approach. The correct one is among them, and I highlighted it:

<figure><img src="https://964563587-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuXbk3swrKEb7s2aaJ6j6%2Fuploads%2FDYhBzIleA4DtyEnslNEp%2Fo9pt1-grep-scripts.PNG?alt=media&#x26;token=09070312-b257-4071-b223-ee6b9918d74d" alt=""><figcaption></figcaption></figure>

Later, I also realize that the correct script is mentioned in the crontabs folder running as the cron job "root":

<figure><img src="https://964563587-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuXbk3swrKEb7s2aaJ6j6%2Fuploads%2Fc2R7VnttDA84ImJoVthr%2Fo9pt1-crontabs-root-job.PNG?alt=media&#x26;token=9b0c3069-b147-4e23-bd31-0e0faf475a39" alt=""><figcaption></figcaption></figure>

**Flag:** yydUpQ.sh


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://tribbletron.gitbook.io/cyber/ctfs/target-x-wicys-ctf-2024/o9.1-escalate-your-privileges.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.