In this post, I would like to share some Unintended ways to obtain the root shell by using the vulnerability of the Faculty machine that recently retired which can be read here

Enumerate the Faculty HTB server using linpeas script

Firstly, we need to upload on the victim’s machine to verify the vulnerability

Once the uploading is a success on the victim’s machine, let’s execute the tool so that we can retrieve any useful information on the Faculty HTB machine

After I managed to analyze the linpeas result, i notice that there’s one vulnerability that has been potentially useable on the victim’s machine.

The vulnerability has been coded as CVE-2022-2588 and let’s do some research about the vulnerability on the internet.

I managed to retrieve some information over here and we can download the exploit from GitHub into our attacker’s machine.

The command to proceed would be something such as:

sudo git clone

As a result, we are required to transfer the exploit from the attacker’s machine into the victim’s machine.

There are a few ways to upload the exploit script on the victim’s machine via curl or wget

Let’s execute the exploit on the victim’s machine and see what happens after the exploit finishes the progress.

Based on the GitHub that we read earlier, it’s said that the credentials for the next step would be user:user

We can enter the credential inside the terminal and it should work as shown on the GitHub page.

At last, we managed to get the exploit to work as shown in the screenshot above. However, we shouldn’t worry if the “user” is shown over here because the root is flagged as user.

As a result, we managed to see the root.txt file if the exploit really work as it should.

Another way to verify that we are already accessing it as root, we can run the command “id”