- Look in Barry's home dir ![[images/Pasted image 20260215153750.png]] - here's flag2 but we can't read it - Look at `.bash_history` - there's the password! - switch to `barry` ![[images/Pasted image 20260215153959.png]] - light enum ![[images/Pasted image 20260215154009.png]] - no `sudo` privs - we are in the `adm` group, which allows us to view logs - let's review `/var/log` since we are in the `adm` group ![[images/Pasted image 20260215180532.png]] - let's see if flag3 is in here > confirmed; let's `xargs cat` ![[images/Pasted image 20260215180608.png]] # Repeat enum - `$PATH` and env vars ![[images/Pasted image 20260215180753.png]] - Hidden files and dirs ![[images/Pasted image 20260215181008.png]]