Cct2019 Tryhackme ★

Running sudo -l reveals that the chester user (or a similar low-priv user) can run a specific binary as root without a password:

User chester may run the following commands on cct2019:
    (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/backup.py

Extract suspicious ICMP payloads:
tshark -r CCT2019.pcap -Y "icmp.type == 8" -T fields -e data.data

Decode hex to ASCII: Many strings start with FLAG: or base64‑like data.

cat /etc/crontab

Sometimes a script runs as root every few minutes. cct2019 tryhackme

whoami
id
uname -a
sudo -l
cat /etc/crontab
find / -perm -4000 2>/dev/null   # SUID binaries