[{"data":1,"prerenderedAt":916},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-publisher-writeup":3,"surround-\u002F2025\u002Ftryhackme-publisher-writeup":907},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"draft":6,"readingTime":14,"body":19,"_type":900,"_id":901,"_source":902,"_file":903,"_stem":904,"_extension":905,"_original_dir":906},"\u002F2025\u002Ftryhackme-publisher-writeup","2025",false,"","TryHackMe - Publisher","A step-by-step guide on how to solve the TryHackMe 'Publisher' room. This write-up covers the initial foothold using a CVE in SPIP CMS and privilege escalation by bypassing AppArmor restrictions.","2025-10-23T16:16:07.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"4 min read",3.215,192900,643,{"type":20,"children":21,"toc":894},"root",[22,28,44,51,55,60,64,81,130,134,155,159,163,169,190,215,219,224,228,233,237,250,254,267,311,315,328,358,362,368,389,440,444,466,470,475,479,484,488,493,528,541,560,572,576,604,608,620,640,644,649,679,696,755,790,824,844,848,868,872,884,888],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target : ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fpublisher",[40],"nofollow",[42],{"type":33,"value":43},"publisher.thm",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58],{"type":33,"value":59},"We have a web server, let's examine it.",{"type":23,"tag":24,"props":61,"children":63},{"src":62},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":65,"children":66},{},[67,69,79],{"type":33,"value":68},"Here, ",{"type":23,"tag":70,"props":71,"children":76},"code",{"className":72,"id":74,"style":75},[73],"example-info","just-like-this","color: #4DFFBE",[77],{"type":33,"value":78},"spip",{"type":33,"value":80}," catches our attention. When we examine it, we see that it is a CMS. We can't get anything by manually browsing the site. So let's do a directory scan.",{"type":23,"tag":82,"props":83,"children":87},"pre",{"className":84,"code":85,"language":86,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","feroxbuster -eBEg -u http:\u002F\u002Fpublisher.thm -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirbuster\u002Fdirectory-list-2.3-medium.txt\n","bash",[88],{"type":23,"tag":70,"props":89,"children":90},{"__ignoreMap":7},[91],{"type":23,"tag":92,"props":93,"children":96},"span",{"class":94,"line":95},"line",1,[97,103,109,114,120,125],{"type":23,"tag":92,"props":98,"children":100},{"style":99},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[101],{"type":33,"value":102},"feroxbuster",{"type":23,"tag":92,"props":104,"children":106},{"style":105},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[107],{"type":33,"value":108}," -eBEg",{"type":23,"tag":92,"props":110,"children":111},{"style":105},[112],{"type":33,"value":113}," -u",{"type":23,"tag":92,"props":115,"children":117},{"style":116},"--shiki-default:#40A02B;--shiki-dark:#98C379",[118],{"type":33,"value":119}," http:\u002F\u002Fpublisher.thm",{"type":23,"tag":92,"props":121,"children":122},{"style":105},[123],{"type":33,"value":124}," -w",{"type":23,"tag":92,"props":126,"children":127},{"style":116},[128],{"type":33,"value":129}," \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirbuster\u002Fdirectory-list-2.3-medium.txt\n",{"type":23,"tag":24,"props":131,"children":133},{"src":132},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":135,"children":136},{},[137,139,145,147,153],{"type":33,"value":138},"From here we get the ",{"type":23,"tag":70,"props":140,"children":142},{"className":141,"id":74,"style":75},[73],[143],{"type":33,"value":144},"\u002Fspip",{"type":33,"value":146}," directory. And we find many subdirectories like ",{"type":23,"tag":70,"props":148,"children":150},{"className":149},[],[151],{"type":33,"value":152},"\u002Fspip\u002Flocal\u002Fconfig",{"type":33,"value":154}," where we can learn the spip version.",{"type":23,"tag":24,"props":156,"children":158},{"src":157},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F5.jpg",[],{"type":23,"tag":24,"props":160,"children":162},{"src":161},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F6.jpg",[],{"type":23,"tag":45,"props":164,"children":166},{"id":165},"initial-access",[167],{"type":33,"value":168},"Initial Access",{"type":23,"tag":29,"props":170,"children":171},{},[172,173,179,181,188],{"type":33,"value":138},{"type":23,"tag":70,"props":174,"children":176},{"className":175,"id":74,"style":75},[73],[177],{"type":33,"value":178},"spip 4.2.0",{"type":33,"value":180}," version. When we research, we come across ",{"type":23,"tag":36,"props":182,"children":185},{"href":183,"rel":184},"https:\u002F\u002Fgithub.com\u002Fnuts7\u002FCVE-2023-27372",[40],[186],{"type":33,"value":187},"CVE-2023-27372",{"type":33,"value":189},". This CVE provides us with Remote Code Execution. Let's download and test it;",{"type":23,"tag":82,"props":191,"children":193},{"className":84,"code":192,"language":86,"meta":7,"style":7},"git clone https:\u002F\u002Fgithub.com\u002Fnuts7\u002FCVE-2023-27372.git\n",[194],{"type":23,"tag":70,"props":195,"children":196},{"__ignoreMap":7},[197],{"type":23,"tag":92,"props":198,"children":199},{"class":94,"line":95},[200,205,210],{"type":23,"tag":92,"props":201,"children":202},{"style":99},[203],{"type":33,"value":204},"git",{"type":23,"tag":92,"props":206,"children":207},{"style":116},[208],{"type":33,"value":209}," clone",{"type":23,"tag":92,"props":211,"children":212},{"style":116},[213],{"type":33,"value":214}," https:\u002F\u002Fgithub.com\u002Fnuts7\u002FCVE-2023-27372.git\n",{"type":23,"tag":24,"props":216,"children":218},{"src":217},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":220,"children":221},{},[222],{"type":33,"value":223},"When we try to get a reverse shell here, we are not successful. There is probably something preventing this.",{"type":23,"tag":24,"props":225,"children":227},{"src":226},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":229,"children":230},{},[231],{"type":33,"value":232},"But when we test it, we see that some of our commands run successfully.",{"type":23,"tag":24,"props":234,"children":236},{"src":235},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":238,"children":239},{},[240,242,248],{"type":33,"value":241},"We can proceed from here. Let's look at our directory with ",{"type":23,"tag":70,"props":243,"children":245},{"className":244},[],[246],{"type":33,"value":247},"pwd > test.txt",{"type":33,"value":249},".",{"type":23,"tag":24,"props":251,"children":253},{"src":252},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":255,"children":256},{},[257,259,265],{"type":33,"value":258},"So if we can get the ssh key of the ",{"type":23,"tag":70,"props":260,"children":262},{"className":261},[],[263],{"type":33,"value":264},"think",{"type":33,"value":266}," user, we can get a stable shell with ssh.",{"type":23,"tag":82,"props":268,"children":270},{"className":84,"code":269,"language":86,"meta":7,"style":7},"python CVE-2023-27372.py -u http:\u002F\u002Fpublisher.thm\u002Fspip -c \"cat \u002Fhome\u002Fthink\u002F.ssh\u002Fid_rsa  > test.txt\" -v\n",[271],{"type":23,"tag":70,"props":272,"children":273},{"__ignoreMap":7},[274],{"type":23,"tag":92,"props":275,"children":276},{"class":94,"line":95},[277,282,287,291,296,301,306],{"type":23,"tag":92,"props":278,"children":279},{"style":99},[280],{"type":33,"value":281},"python",{"type":23,"tag":92,"props":283,"children":284},{"style":116},[285],{"type":33,"value":286}," CVE-2023-27372.py",{"type":23,"tag":92,"props":288,"children":289},{"style":105},[290],{"type":33,"value":113},{"type":23,"tag":92,"props":292,"children":293},{"style":116},[294],{"type":33,"value":295}," http:\u002F\u002Fpublisher.thm\u002Fspip",{"type":23,"tag":92,"props":297,"children":298},{"style":105},[299],{"type":33,"value":300}," -c",{"type":23,"tag":92,"props":302,"children":303},{"style":116},[304],{"type":33,"value":305}," \"cat \u002Fhome\u002Fthink\u002F.ssh\u002Fid_rsa  > test.txt\"",{"type":23,"tag":92,"props":307,"children":308},{"style":105},[309],{"type":33,"value":310}," -v\n",{"type":23,"tag":24,"props":312,"children":314},{"src":313},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":316,"children":317},{},[318,320,326],{"type":33,"value":319},"Now let's save this key and give it ",{"type":23,"tag":70,"props":321,"children":323},{"className":322},[],[324],{"type":33,"value":325},"chmod 600",{"type":33,"value":327}," permission, then connect to the target with this key.",{"type":23,"tag":82,"props":329,"children":331},{"className":84,"code":330,"language":86,"meta":7,"style":7},"ssh think@publisher.thm -i id_rsa\n",[332],{"type":23,"tag":70,"props":333,"children":334},{"__ignoreMap":7},[335],{"type":23,"tag":92,"props":336,"children":337},{"class":94,"line":95},[338,343,348,353],{"type":23,"tag":92,"props":339,"children":340},{"style":99},[341],{"type":33,"value":342},"ssh",{"type":23,"tag":92,"props":344,"children":345},{"style":116},[346],{"type":33,"value":347}," think@publisher.thm",{"type":23,"tag":92,"props":349,"children":350},{"style":105},[351],{"type":33,"value":352}," -i",{"type":23,"tag":92,"props":354,"children":355},{"style":116},[356],{"type":33,"value":357}," id_rsa\n",{"type":23,"tag":24,"props":359,"children":361},{"src":360},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F12.jpg",[],{"type":23,"tag":45,"props":363,"children":365},{"id":364},"privilege-escalation",[366],{"type":33,"value":367},"Privilege Escalation",{"type":23,"tag":29,"props":369,"children":370},{},[371,373,379,381,387],{"type":33,"value":372},"When we do a simple ",{"type":23,"tag":70,"props":374,"children":376},{"className":375},[],[377],{"type":33,"value":378},"suid",{"type":33,"value":380}," search, ",{"type":23,"tag":70,"props":382,"children":384},{"className":383,"id":74,"style":75},[73],[385],{"type":33,"value":386},"\u002Fusr\u002Fsbin\u002Frun_container",{"type":33,"value":388}," catches our attention. So when we run this file, it will run with the permissions of its owner (i.e. root).",{"type":23,"tag":82,"props":390,"children":392},{"className":84,"code":391,"language":86,"meta":7,"style":7},"find \u002F -perm -4000 -type f 2>\u002Fdev\u002Fnull\n",[393],{"type":23,"tag":70,"props":394,"children":395},{"__ignoreMap":7},[396],{"type":23,"tag":92,"props":397,"children":398},{"class":94,"line":95},[399,404,409,414,419,424,429,435],{"type":23,"tag":92,"props":400,"children":401},{"style":99},[402],{"type":33,"value":403},"find",{"type":23,"tag":92,"props":405,"children":406},{"style":116},[407],{"type":33,"value":408}," \u002F",{"type":23,"tag":92,"props":410,"children":411},{"style":105},[412],{"type":33,"value":413}," -perm",{"type":23,"tag":92,"props":415,"children":416},{"style":105},[417],{"type":33,"value":418}," -4000",{"type":23,"tag":92,"props":420,"children":421},{"style":105},[422],{"type":33,"value":423}," -type",{"type":23,"tag":92,"props":425,"children":426},{"style":116},[427],{"type":33,"value":428}," f",{"type":23,"tag":92,"props":430,"children":432},{"style":431},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[433],{"type":33,"value":434}," 2>",{"type":23,"tag":92,"props":436,"children":437},{"style":116},[438],{"type":33,"value":439},"\u002Fdev\u002Fnull\n",{"type":23,"tag":24,"props":441,"children":443},{"src":442},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":445,"children":446},{},[447,449,456,458,464],{"type":33,"value":448},"When we examine this bin file, we come across the code ",{"type":23,"tag":70,"props":450,"children":453},{"className":451,"id":74,"style":452},[73],"color: #efb11d",[454],{"type":33,"value":455},"\u002Fbin\u002Fbash \u002Fopt\u002Frun_container.sh",{"type":33,"value":457},". (I checked with ",{"type":23,"tag":70,"props":459,"children":461},{"className":460},[],[462],{"type":33,"value":463},"strings",{"type":33,"value":465},", there are many ways to do this. We can already see this code when we run the bin.)",{"type":23,"tag":24,"props":467,"children":469},{"src":468},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":471,"children":472},{},[473],{"type":33,"value":474},"When we check this file, we see that we have write permissions on this file.",{"type":23,"tag":24,"props":476,"children":478},{"src":477},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F15.jpg",[],{"type":23,"tag":29,"props":480,"children":481},{},[482],{"type":33,"value":483},"But when we try to write, we can't.",{"type":23,"tag":24,"props":485,"children":487},{"src":486},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F16.jpg",[],{"type":23,"tag":29,"props":489,"children":490},{},[491],{"type":33,"value":492},"In this case, we understand that you are in a restricted environment. Let's check what services are running on the machine to understand what is happening.",{"type":23,"tag":82,"props":494,"children":496},{"className":84,"code":495,"language":86,"meta":7,"style":7},"service --status-all | grep \"+\"\n",[497],{"type":23,"tag":70,"props":498,"children":499},{"__ignoreMap":7},[500],{"type":23,"tag":92,"props":501,"children":502},{"class":94,"line":95},[503,508,513,518,523],{"type":23,"tag":92,"props":504,"children":505},{"style":99},[506],{"type":33,"value":507},"service",{"type":23,"tag":92,"props":509,"children":510},{"style":105},[511],{"type":33,"value":512}," --status-all",{"type":23,"tag":92,"props":514,"children":515},{"style":431},[516],{"type":33,"value":517}," |",{"type":23,"tag":92,"props":519,"children":520},{"style":99},[521],{"type":33,"value":522}," grep",{"type":23,"tag":92,"props":524,"children":525},{"style":116},[526],{"type":33,"value":527}," \"+\"\n",{"type":23,"tag":29,"props":529,"children":530},{},[531,533,539],{"type":33,"value":532},"In the output, ",{"type":23,"tag":70,"props":534,"children":536},{"className":535},[],[537],{"type":33,"value":538},"apparmor",{"type":33,"value":540}," catches our attention.",{"type":23,"tag":542,"props":543,"children":545},"alert",{"type":544},"question",[546,555],{"type":23,"tag":547,"props":548,"children":549},"template",{"v-slot:title":7},[550],{"type":23,"tag":29,"props":551,"children":552},{},[553],{"type":33,"value":554},"What is Apparmor?",{"type":23,"tag":29,"props":556,"children":557},{},[558],{"type":33,"value":559},"AppArmor defines and enforces rules such as \"which files can this application access, which commands can it run, where can it write\".",{"type":23,"tag":29,"props":561,"children":562},{},[563,565,571],{"type":33,"value":564},"Then let's look at the created profiles with ",{"type":23,"tag":70,"props":566,"children":568},{"className":567},[],[569],{"type":33,"value":570},"ls \u002Fetc\u002Fapparmor.d",{"type":33,"value":249},{"type":23,"tag":24,"props":573,"children":575},{"src":574},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F17.jpg",[],{"type":23,"tag":29,"props":577,"children":578},{},[579,580,587,589,594,596,602],{"type":33,"value":68},{"type":23,"tag":70,"props":581,"children":584},{"className":582,"id":74,"style":583},[73],"color: #77BEF0",[585],{"type":33,"value":586},"usr.sbin.ash",{"type":33,"value":588}," catches our attention. Ash is a lightweight shell interpreter like ",{"type":23,"tag":70,"props":590,"children":592},{"className":591},[],[593],{"type":33,"value":86},{"type":33,"value":595},". And I think we are currently on the ",{"type":23,"tag":70,"props":597,"children":599},{"className":598},[],[600],{"type":33,"value":601},"ash",{"type":33,"value":603}," shell interpreter and that's why we are facing this restriction.\nWe can simply verify this as follows.",{"type":23,"tag":24,"props":605,"children":607},{"src":606},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":609,"children":610},{},[611,613,618],{"type":33,"value":612},"Then let's check the ",{"type":23,"tag":70,"props":614,"children":616},{"className":615},[],[617],{"type":33,"value":601},{"type":33,"value":619}," profile.",{"type":23,"tag":82,"props":621,"children":623},{"className":84,"code":622,"language":86,"meta":7,"style":7},"cat usr.sbin.ash\n",[624],{"type":23,"tag":70,"props":625,"children":626},{"__ignoreMap":7},[627],{"type":23,"tag":92,"props":628,"children":629},{"class":94,"line":95},[630,635],{"type":23,"tag":92,"props":631,"children":632},{"style":99},[633],{"type":33,"value":634},"cat",{"type":23,"tag":92,"props":636,"children":637},{"style":116},[638],{"type":33,"value":639}," usr.sbin.ash\n",{"type":23,"tag":24,"props":641,"children":643},{"src":642},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":645,"children":646},{},[647],{"type":33,"value":648},"And as you can see here, some rules have been given and that's why we couldn't perform our operations.",{"type":23,"tag":650,"props":651,"children":652},"ul",{},[653,659,664,669,674],{"type":23,"tag":654,"props":655,"children":656},"li",{},[657],{"type":33,"value":658},"Can read files (r)",{"type":23,"tag":654,"props":660,"children":661},{},[662],{"type":33,"value":663},"Can execute (x)",{"type":23,"tag":654,"props":665,"children":666},{},[667],{"type":33,"value":668},"Can load into memory (m)",{"type":23,"tag":654,"props":670,"children":671},{},[672],{"type":33,"value":673},"Can pass permissions to subprocesses (i)",{"type":23,"tag":654,"props":675,"children":676},{},[677],{"type":33,"value":678},"Can write (w)",{"type":23,"tag":542,"props":680,"children":682},{"type":681},"warning",[683,691],{"type":23,"tag":547,"props":684,"children":685},{"v-slot:title":7},[686],{"type":23,"tag":29,"props":687,"children":688},{},[689],{"type":33,"value":690},"The most important flag here is the i (inherit) flag.",{"type":23,"tag":29,"props":692,"children":693},{},[694],{"type":33,"value":695},"This means that when the ash shell runs the wget command, for example, that wget process also inherits this AppArmor profile. That is, the wget command runs, but it also cannot write to \u002Ftmp or the \u002Fhome directory!",{"type":23,"tag":29,"props":697,"children":698},{},[699,701,706,708,713,715,721,723,728,730,736,738,744,746,753],{"type":33,"value":700},"In this case, we need to switch from ",{"type":23,"tag":70,"props":702,"children":704},{"className":703},[],[705],{"type":33,"value":601},{"type":33,"value":707}," to ",{"type":23,"tag":70,"props":709,"children":711},{"className":710},[],[712],{"type":33,"value":86},{"type":33,"value":714}," so that we can get rid of these restrictions. We can't do this by saying ",{"type":23,"tag":70,"props":716,"children":718},{"className":717},[],[719],{"type":33,"value":720},"\u002Fbin\u002Fbash",{"type":33,"value":722}," directly, because when we check, we see that ",{"type":23,"tag":70,"props":724,"children":726},{"className":725},[],[727],{"type":33,"value":720},{"type":33,"value":729}," is already symbolically linked with ",{"type":23,"tag":70,"props":731,"children":733},{"className":732},[],[734],{"type":33,"value":735},"\u002Fusr\u002Fbin\u002Fbash",{"type":33,"value":737},", we can verify this with ",{"type":23,"tag":70,"props":739,"children":741},{"className":740},[],[742],{"type":33,"value":743},"realpath \u002Fbin\u002Fbash",{"type":33,"value":745},". As you know, our restrictions due to ",{"type":23,"tag":70,"props":747,"children":750},{"className":748,"id":74,"style":749},[73],"color: #EA5B6F",[751],{"type":33,"value":752},"\u002Fusr\u002Fbin\u002F** mrix",{"type":33,"value":754}," also affect this.",{"type":23,"tag":29,"props":756,"children":757},{},[758,760,765,767,772,774,780,782,788],{"type":33,"value":759},"Then we need to call ",{"type":23,"tag":70,"props":761,"children":763},{"className":762},[],[764],{"type":33,"value":86},{"type":33,"value":766}," somewhere other than these directories. We can do this by copying ",{"type":23,"tag":70,"props":768,"children":770},{"className":769},[],[771],{"type":33,"value":720},{"type":33,"value":773}," to one of the ",{"type":23,"tag":70,"props":775,"children":777},{"className":776,"id":74,"style":75},[73],[778],{"type":33,"value":779},"\u002Fdev\u002Fshm",{"type":33,"value":781}," and ",{"type":23,"tag":70,"props":783,"children":785},{"className":784,"id":74,"style":75},[73],[786],{"type":33,"value":787},"\u002Fvar\u002Ftmp",{"type":33,"value":789}," directories, which we are currently allowed to write to. (These do not have **, meaning you can't change it but you can write to a subdirectory)",{"type":23,"tag":82,"props":791,"children":793},{"className":84,"code":792,"language":86,"meta":7,"style":7},"cp \u002Fbin\u002Fbash \u002Fvar\u002Ftmp\n\u002Fvar\u002Ftmp\u002Fbash\n",[794],{"type":23,"tag":70,"props":795,"children":796},{"__ignoreMap":7},[797,815],{"type":23,"tag":92,"props":798,"children":799},{"class":94,"line":95},[800,805,810],{"type":23,"tag":92,"props":801,"children":802},{"style":99},[803],{"type":33,"value":804},"cp",{"type":23,"tag":92,"props":806,"children":807},{"style":116},[808],{"type":33,"value":809}," \u002Fbin\u002Fbash",{"type":23,"tag":92,"props":811,"children":812},{"style":116},[813],{"type":33,"value":814}," \u002Fvar\u002Ftmp\n",{"type":23,"tag":92,"props":816,"children":818},{"class":94,"line":817},2,[819],{"type":23,"tag":92,"props":820,"children":821},{"style":99},[822],{"type":33,"value":823},"\u002Fvar\u002Ftmp\u002Fbash\n",{"type":23,"tag":29,"props":825,"children":826},{},[827,829,835,837,842],{"type":33,"value":828},"With these commands, let's copy our bash and run it to switch to our bash. When we check, we can now write to ",{"type":23,"tag":70,"props":830,"children":832},{"className":831},[],[833],{"type":33,"value":834},"\u002Fopt\u002Frun_container.sh",{"type":33,"value":836},". I directly wrote the code that will show the private ssh key of ",{"type":23,"tag":70,"props":838,"children":840},{"className":839},[],[841],{"type":33,"value":20},{"type":33,"value":843}," at the beginning.",{"type":23,"tag":24,"props":845,"children":847},{"src":846},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":849,"children":850},{},[851,853,859,861,866],{"type":33,"value":852},"Now when we run ",{"type":23,"tag":70,"props":854,"children":856},{"className":855},[],[857],{"type":33,"value":858},"\u002Fusr\u002Fbin\u002Frun_container",{"type":33,"value":860}," with the suid bit set, it will go to ",{"type":23,"tag":70,"props":862,"children":864},{"className":863},[],[865],{"type":33,"value":834},{"type":33,"value":867}," and run the contents with root privileges and we will get the root's private key.",{"type":23,"tag":24,"props":869,"children":871},{"src":870},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F21.jpg",[],{"type":23,"tag":29,"props":873,"children":874},{},[875,877,882],{"type":33,"value":876},"With this key we can connect directly to root via ssh. Let's save it to a file (in my case ",{"type":23,"tag":70,"props":878,"children":880},{"className":879},[],[881],{"type":33,"value":20},{"type":33,"value":883},") and give the necessary permissions.",{"type":23,"tag":24,"props":885,"children":887},{"src":886},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-publisher-writeup\u002F22.jpg",[],{"type":23,"tag":889,"props":890,"children":891},"style",{},[892],{"type":33,"value":893},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":895,"depth":895,"links":896},4,[897,898,899],{"id":47,"depth":817,"text":50},{"id":165,"depth":817,"text":168},{"id":364,"depth":817,"text":367},"markdown","content:posts:2025:tryhackme-publisher-writeup.md","content","posts\u002F2025\u002Ftryhackme-publisher-writeup.md","posts\u002F2025\u002Ftryhackme-publisher-writeup","md","\u002Fposts",[908,912],{"_path":909,"title":910,"date":911},"\u002F2025\u002Ftryhackme-couch-writeup","TryHackMe - Couch","2025-10-22T06:11:23.000Z",{"_path":913,"title":914,"date":915},"\u002F2025\u002Fhtb-cap-writeup","HTB - Cap","2025-10-27T15:49:55.000Z",1776877920190]