Try every method in the teaching part.

1. Enumeration: find the kernel version and search for a vulnerability to exploit. Unfortunately, no vulnerability for this kernel was found.
2. SUDO: sudo -l found leonard cannot run sudo.
3. SUID: “find / -type f -perm -04000 -ls 2>/dev/null” found out that base64 can be used. This is a good one, we can use the method in [gtfosbins]https://gtfobins.github.io/gtfobins/base64/ to read a file that otherwise requires a root privilege. Try to find the location of the two flag files with “find / -name flag1.txt 2>/dev/null” and “find / -name flag2.txt 2>/dev/null” showing no results.
4. Capabilities: “getcap -r / 2>/dev/null” shows no interesting results.
5. Cron jobs: “cat /etc/crontab”, no cron jobs defined.
6. PATH: I tried with no success.
7. NFS: “cat /etc/exports” no result.

I was planning to get a shell with root privilege, however, failed.

Then I used base64 to read the file /etc/shadow and found hashed passwords for two more accounts, root and missy. I copied their information in /etc/passwd and /etc/shadow to the attacking machine, naming them passwd.txt and shadow.txt, respectively.

Then used “unshadow passwd.txt shadow.txt > needtohack.txt”, and tried to hack the password with “john –wordlist=/root/Tools/wordlists/rockyou.txt needtohack.txt”.

The password of missy is Password1

I switched to this user with “su missy”. I checked the “find / -name flag1.txt 2>/dev/null” command and found out that flag1.txt was in the directory “/home/missy/Documents/flag1.txt”.

So flag1 is “THM-42828719920544”.

Then, I found out that there were three folders under /home directory. The third directory, named rootflag is suspicious. Test it with base64. Luckily, flag2.txt was there.