Description

Just read the flag, it’s all there.

link of the challenge Author : Log_s

Solution

We are connected in SSH in a restricted shell with very few available commands. To see the available shell commands : compgen -c An interesting command to try a privileges escalation is vim. However this is a restricted vim. An other command catch my attention : cowsay which allows to display some messages in the terminal and sometimes a privesc is possible : https://gtfobins.github.io/gtfobins/cowsay/

I used vim to create a file text.txt

exec "/bin/sudo /bin/cat /flag.txt";

Then by executing : cowsay -f ./test.txt x, we can cat the flag !