Htb Privilege Escalation

Let’s first SSH into the server given to us by HTB using the user "user1" and password "password1".

Now we need to discover more about the machine and what capabilities we have. We can do this by running sudo -l to see the permissions available to us.

As we see here, /bin/bash is our ticket to getting into user2. By entering the command sudo -u user2 /bin/bash, we gain access to it.

With this, we can navigate to the flag.txt file, read its content, and submit it. Now, we need to escalate to root. As hinted in the HTB section Exposed Credentials, we can explore the machine further to look for any exposed credentials.

That’s it — we just found a hidden folder .ssh containing the SSH private and public keys. We tried writing into authorized_keys but didn’t have permission. So now, we need to copy the id_rsa content into our local machine and try logging in as root to the HTB machine.

We gave the id_rsa the proper permissions so we can use it securely to connect to the HTB machine as root — and with that, we just found the second flag.