Zenith Writeup
Nahamcon 2021
-
Goal was to privesc to root and get the flag from root directory
-
detecting privesc was easy because all i had to do was
sudo -l
-
we can execute
zenity
with sudo without password -
zenity is an application which generates GUI pop ups.
-
but we have ssh, a simple workaround for this is to use
-X
commandline option of ssh which forwards gui applications to our machine, so using this we can execute zenity on remote server and popups will appear on our machine. -
now after reading manpage of zenity few times this command worked
zenity --text-info --filename "/root/.ssh/id_rsa"
- and a pop up appears with private key of root <3