InfoSec LAB

Passage_nadav

Created: 2 min read

nadav

Checking for user specify data and configuration for the nadav user after making a lateral movement

Group Membership

nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

Although I do not know the password of the nadav user, the user is part of the sudo group as well as the adm group

Vim History

nadav@passage:~$ cat .viminfo
# This viminfo file was generated by Vim 7.4.
# You may edit it if you're careful!
 
# Value of 'encoding' when this file was written
*encoding=utf-8
 
 
# hlsearch on (h) or off (h):
~h
# last substitute search pattern:
~msle0~&adminidentities=unix-group:root
 
# last substitute string:
$adminidentities=unix-group:sudo
 
# command line history (newest to oldest):
:wq
:%s/AdminIdentities=unix-group:root/AdminIdentities=unix-group:sudo/g
 
# search string history (newest to oldest):
? adminidentities=unix-group:root
 
# expression history (newest to oldest):
 
# input line history (newest to oldest):
 
# input line history (newest to oldest):
 
# registers:
 
# file marks:
'0  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
'1  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
 
# jumplist (newest first):
-'  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  1  0  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
 
# history of marks within files (newest to oldest):
 
> /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
	"	12	7
 
> /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
	"	2	0
	.	2	0
	+	2	0

The .viminfo file reveals that there has been changes made to 2 files

  • /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
  • /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf

USBCreator

nadav@passage:~$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
 
nadav@passage:~$ cat /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
 
  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="com.ubuntu.USBCreator"/>
  </policy>
 
  <!-- Allow anyone to invoke methods (further constrained by
       PolicyKit privileges -->
  <policy context="default">
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="com.ubuntu.USBCreator"/>
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="org.freedesktop.DBus.Properties"/>
  </policy>
 
</busconfig>

The configuration above allows any member in the sudo group to use the USBCreator service. USBCreator being vulnerable was also pointed out by PEAS earlier

The nadav user being part of the sudo group grants allows user to access USBCreator service, thus I can exploit it

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks