> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-privilege-escalation/privesc-tiny-walkthrough.md).

# PrivEsc tiny Walkthrough

Use this walkthrough to move from the provided SSH access to `root` and recover the flag.

### Goal

Log in with the provided user credentials.

Use the allowed privilege path to move to another user.

Recover the `root` SSH key and use it to become `root`.

{% stepper %}
{% step %}

### Log in as `user1`

Start by connecting over SSH with the provided credentials.

This gives you the initial low-privilege shell.

<figure><img src="/files/3VIfYiLlVEQjlL2nxH8O" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Check the allowed `sudo` actions

Run `sudo -l` first.

This shows which commands or users you can access with elevated rights.

<figure><img src="/files/7t4OrudPFLgcI5mYqJI7" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Switch to `user2`

Use the allowed `sudo -u` path to run a shell as `user2`.

That gives you access to the next set of files.

<figure><img src="/files/7i1Imjh66sROb2u8jbdz" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Read the user flag

Once you are `user2`, inspect the accessible files.

Reading `flag.txt` completes the user-level objective.

<figure><img src="/files/ogj8L3jLdTskrUWWbwii" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Recover the `root` private key

Keep checking for sensitive files after the first flag.

Here, the key finding is a readable `id_rsa` file that belongs to `root`.

<figure><img src="/files/opdatCgoYmqQFrg8mlaT" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Save the key locally

Copy the private key into a local file on your attacking box.

You need the key in a separate file before SSH will accept it.

<figure><img src="/files/DtHGUs7Aje7ddxL9Xg1R" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Fix permissions and log in as `root`

Restrict the key permissions, then use it for SSH access:

```bash
chmod 600 local_key
ssh -i local_key root@<TARGET_IP> -p <PORT>
```

This opens a `root` shell on the target.

<figure><img src="/files/Daah9WZnjHNClnk5QfYz" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

### Key takeaway

This escalation path stays simple:

* `sudo -l` reveals the next user context.
* `user2` access exposes sensitive files.
* A readable `root` private key leads straight to full access.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-privilege-escalation/privesc-tiny-walkthrough.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
