Zenith Writeup

• Goal was to privesc to root and get the flag from root directory

• detecting privesc was easy because all i had to do was sudo -l

• we can execute zenity with sudo without password

• zenity is an application which generates GUI pop ups.

• but we have ssh, a simple workaround for this is to use -X commandline option of ssh which forwards gui applications to our machine, so using this we can execute zenity on remote server and popups will appear on our machine.

• now after reading manpage of zenity few times this command worked

zenity --text-info --filename "/root/.ssh/id_rsa"

• and a pop up appears with private key of root <3