For Hermit 2, I was initially confused as to why the link wasn't working. I asked support about it
and they said to use the original link for Hermit 1.
First, refer to the trick for hermit 1, which is that you can trick the website into thinking a php
file is a png file by changing the extension to '.png', thereby, running arbitrary commnands and
getting output through the simple php file
For example, if I wanted to run "rm -rf /" (which I definitely don't, but if I did...), I'd simply type
After that, I decided to enumerate users by looking at the /etc/passwd, as the hint told me to, by running "/etc/passwd".
That didn't help, so I enumerated hermit's groups and, lo and behold, what pops up is
So, I'm part of the sudo group. That's interesting. Let me open '/etc/sudoers' to find out what I can do.
So I run 'cat /etc/sudoers' to get some output with the following line being of interest.
hermit ALL = (root) NOPASSWD: /bin/gzip -f /root/rootflag.txt -t
Looking online for how to configure sudoers reveals that this allows
me to run the following command without a password.
A natural next step was to actually run "/bin/gzip -f /root/rootflag.txt -t" to get