Linux Privilege Escalation
November 13, 2022
Last updated
November 13, 2022
Last updated
For this room, I am going to focus on the last tasks which encapsulate all other previous tasks into a final capstone task. We are given a username and password to SSH into in hopes to escalate privileges to receive two flags.
First, we need to figure out our system and user information. Below is the information found:
sudo information: No sudo rights for our exploited account
Kernel information: 'Linux 3.10.0-1160.el7.x86_64' running on the system
cronjob information: No cronjobs are running inside of crontab
SUID information: find / -type f -perm -04000 -ls 2>/dev/null This helps us find SUID or SGID bit sets.
Capabilities information: getcap -r / 2>/dev/null was able to reveal some programs that could be used.
Since the current user can read the /etc/passwd file and had no sudo rights I decided the base64 SUID/SGID bit will work well with a gtfobins program exploit. I will be able to use the information here to exploit a file read on /etc/shadow. Then I can use that to find passwords for current users.
The SUID for base64 should work for this file read.
Great! now I can begin copying the contents of /etc/passwd and /etc/shadow over to my attacker machine to see if john can discover some passwords to these usernames.
A password for another user! Once I logged in I was pleased to find the first flag.
Once I was in the account I enumerated some user information/accesses and found that missy has sudo rights to 'find' which may be helpful for the next exploitation. I go ahead and check gtfobins again and find this line: sudo find . -exec /bin/sh ; -quit
This gives me root access and I am able to read the final flag.
