If you are working through hackfail.htb right now and ran into a specific roadblock, let me know:
The real fail is in /root/fail_log . You can't read it. But you notice fail_trap calls cat /root/fail_log without sanitizing $PATH . You export PATH=/tmp:$PATH , create a fake cat that copies /root/fail_log . Run fail_trap — bingo. The log contains the root password hash. hackfail.htb
Writing the exact that causes this vulnerability If you are working through hackfail
Open a local network listener to catch the inbound terminal connection: nc -lvnp 4444 Use code with caution. You export PATH=/tmp:$PATH , create a fake cat
Am I checking for writable scripts or libraries in sudo-enabled commands? See you in the next one!
GET /index.php?page=../../../../etc/passwd HTTP/1.1 Host: hackfail.htb Use code with caution.
The system executes the injected shell command, returning a reverse shell as a low-privilege user (typically www-data or a dedicated application user). Phase 4: Privilege Escalation to User