Room: Advent of Cyber 2
Difficulty: Beginner
This is it — the moment that Elf McEager has been waiting for. It’s the final exam of the Nmap course that he enlisted on during “Day 8 — What’s Under the Christmas Tree?”. It looks like all that hard work of hitting the books has paid off…“Success!” Elf McEager screams… “the exploit worked! Yippeee!”
Elf McEager has successfully managed to create a reverse shell from the target back to his computer. Little did he know, the real exam begins now…The last stage of the exam requires Elf McEager to escalate his privileges! He spent so much time studying Nmap cheatsheets that he’s now drawing a blank…Can you help Elf McEager?
To be the good guy, sometimes you gotta be the bad guy first…
Question #1 What type of privilege escalation involves using a user account to execute commands as an administrator?
Looking through the source material, you can see that it is vertical privilege escalation:
Question #2 What is the name of the file that contains a list of users who are a part of the sudo group?
Again, you find this answer in the source material provided:
Question #3 Use SSH to log in to the vulnerable machine.
Question #4 Enumerate the machine for executables that have the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary. You may find uploading some of the enumeration scripts that were used during today’s task to be useful.
Run the command to find which executables have the SUID permission set:
It will return a few results, but the main one that sticks out to me right off the bat is /bin/bash.
With the help of GTFObins, you can see there is definitely a way to take advantage of this.
It turns out to be very simple, by just using the following command you can gain root privileges:
Question #5 What are the contents of the file located at /root/flag.txt?
From here you can easily read the file:
The materials did mention an enumeration script that you could use for this, called LinEnum. I did not need to use it since GTFOBins worked just fine, but I am going to go through how you would use one. I am more comfortable with linPEAS, so I will use that instead.
That link above will give you instructions for how to get linPEAS on your target machine. You can copy the raw script into a file on your local computer and then transfer it over (name it “linpeas.sh”).
Then, create a server on your local machine to transfer it (in the same directory where you saved the file):
Now, back over at the SSH connection, grab the file from the server you just created (use your IP address):
From here you can list the files to ensure it transferred correctly, and then change the permissions to make it executable.
Now you can execute linPEAS:
It will take a little bit of time to run.
Helpful hint: If you don’t already have it set, you should change your scrolling preferences to “unlimited” in your terminal window, so the output doesn’t get cut off. Edit > Profile Preferences > Scrolling > Check Unlimited.
linPEAS will find the exact same vulnerability as earlier, but will also return much more for you to look through in a situation where it isn’t this simple.
Happy Hacking! ❤
