Starting my journey towards the Certified Penetration Testing Specialist (CPTS) certification is more than just learning new exploits; it’s about solidifying my methodology and demonstrating a confident command of core penetration testing principles. Every lab, every box, is a step closer to validating my skills. The low-privilege to root escalation scenario isn’t just a technical exercise—it’s a perfect example of the mindset required for a successful career in this field. It proves that a methodical approach is always a winning strategy, and this walkthrough showcases my confidence in navigating these challenges.
Step 1: Initial Access and Tactical Enumeration 🔍
Gaining an initial foothold is only the first move in a complex game of chess. My objective isn’t just to get in but to understand the terrain fully. As a low-privileged user, user1, I know my scope is limited, but my curiosity isn’t. I’m actively looking for any small misconfiguration that could be my next move. The initial check of sudo permissions was a routine check, a fundamental step in my playbook.
The fact that I couldn’t run commands as root wasn’t a roadblock—it was expected. The true value was finding the ability to run /bin/bash as user2 without a password. This is a subtle but critical find. It’s not a direct path to the end, but it’s a lateral shift that gives me more freedom and another vantage point. This kind of nuanced discovery is what separates a novice from a seasoned professional.
Bash
sudo -u user2 /bin/bash
This immediate privilege escalation to a new user account proves my ability to adapt and pivot based on the information I’m given.
Step 2: Privilege Escalation to Root—A Meticulous Search 🕵️
Now operating as user2, the game changes. My new environment offers new possibilities, and I’m not leaving any stone unturned. A good penetration tester knows that the key to privilege escalation often lies in a misconfigured file or a vulnerable application. I ran my standard enumeration scripts, and this time, the SUID (Set User ID) binary search revealed a critical mistake: a world-readable id_rsa file in the root user’s SSH directory.
This is the kind of discovery that makes all the methodical work worth it. The permissions, -rw-r--r--, scream security vulnerability. A private SSH key, which should be accessible only by its owner (root), is readable by any user on the system. It’s a textbook example of a major security flaw, and I immediately recognize it as my path to total system control. This is where my experience shines—I don’t just see a file; I see the exploit potential and the story behind the misconfiguration.
Step 3: Gaining Root Access: The Final Move 🔑
Exploiting this flaw is a clean, direct process that demonstrates my efficiency and knowledge of fundamental Linux operations.
First, I read the contents of the private key using cat.
Bash
cat /root/.ssh/id_rsa
Next, I copied the key to my local machine. A quick chmod 600 ensures that SSH will accept the key. This small but crucial step proves my attention to detail and adherence to best practices, even in the middle of a simulated attack.
Bash
chmod 600 root_key
Finally, I use the private key to log in directly as the root user, bypassing the need for a password entirely.
Bash
ssh -i root_key root@<target_ip> -p <port>
With a single command, I went from a low-privileged user to the ultimate authority on the system. This wasn’t a lucky guess; it was the result of a systematic, confident, and well-executed plan.
Conclusion: Reinforcing the Fundamentals and Moving Forward 🏆
This walkthrough is a testament to the fact that core principles—the principle of least privilege, secure file permissions, and thorough enumeration—are the most powerful tools in a penetration tester’s arsenal. It’s not about complex exploits; it’s about finding and exploiting the simple mistakes that exist in every system. As I continue my journey towards the CPTS certification, each lab reinforces my belief that a strong foundation and a confident, methodical approach are the keys to success. My skills are sharp, my methodology is sound, and I am ready for the next challenge.