Nahamcon 2021


  • Goal was to privesc to root and get the flag from root directory

  • detecting privesc was easy because all i had to do was sudo -l

  • we can execute zenity with sudo without password

  • zenity is an application which generates GUI pop ups.

  • but we have ssh, a simple workaround for this is to use -X commandline option of ssh which forwards gui applications to our machine, so using this we can execute zenity on remote server and popups will appear on our machine.

  • now after reading manpage of zenity few times this command worked

zenity --text-info --filename "/root/.ssh/id_rsa"

  • and a pop up appears with private key of root <3

Published on : 15 Mar 2021