InfoSec LAB

PermX_sudo_privileges_mtz

Created: 2 min read

mtz

Checking for sudo privileges of the mtz account after making the Lateral Movement

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

The mtz account has a sudo privilege to execute /opt/acl.sh as anyone without getting prompted for password

The bash script, /opt/acl.sh, has already been identified by PEAS in the earlier stage

/opt/acl.sh

mtz@permx:~$ cat /opt/acl.sh
#!/bin/bash
 
if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi
 
user="$1"
perm="$2"
target="$3"
 
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi
 
# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi
 
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

The provided Bash script is designed to manage file permissions using Access Control Lists (ACLs) for a specific user on a specified file. It ensures that the file is within the /home/mtz/ directory and is a valid file, preventing directory traversal attacks by disallowing paths with ... The script requires three arguments: a username, permissions, and a file path. It validates the arguments, checks the file’s existence, and then uses sudo to modify the file’s ACL to set the specified permissions for the given user. The script exits with appropriate error messages if the arguments are incorrect or the file does not meet the specified conditions.

Except, the script doesn’t check for linking Moving on to Privilege Escalation phase

Interactive Graph View

Backlinks