InfoSec LAB

Seventeen_sudo_privileges_kavi

Created: 3 min read

kavi

Checking for sudo privileges after making a lateral movement to kavi user

kavi@seventeen:~$ sudo -l
[sudo] password for kavi: 
matching defaults entries for kavi on seventeen:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
user kavi may run the following commands on seventeen:
    (ALL) /opt/app/startup.sh

The kavi user is able to execute the bash script, /opt/app/startup.sh, with sudo privileges That bash script was already enumerated earlier. I failed to execute it due to the privilege limit

startup.sh

kavi@seventeen:~$ sudo -u root /opt/app/startup.sh
[=] Checking for db-logger
[+] db-logger already installed
[=] Checking for loglevel
[+] Installing loglevel
/opt/app
├── loglevel@1.8.0 
└── mysql@2.18.1 
 
[+] Starting the app

Executing the bash script now successfully installed the new loglevel package and proceeded to start the web app. It should be now available at the 127.0.0.1:8000 socket

mark@seventeen:/dev/shm$ curl http://localhost:8000
<!DOCTYPE html>
<html>
<head>
<title>Under Construction</title>
</head>
<body>
<p>This page is under construction. Please come back soon!</p>
</body>
</html>

It works. While this is just a static html running, the important bit here is that it has successfully loaded the package and proceeded to start the web application. Additionally, the process is presumably running with the privileges of the root user (sudo).

There are 2 npm packages required; db-logger and loglevel If I manage to hijack either of the packages above and load a malicious npm package, I might be able to get code execution

.npmrc

kavi@seventeen:~$ ll
total 44
drwxr-x--- 7 kavi kavi 4096 May 11  2022 ./
drwxr-xr-x 4 root root 4096 Apr  8  2022 ../
lrwxrwxrwx 1 kavi kavi    9 Apr 10  2022 .bash_history -> /dev/null
-rw-r--r-- 1 kavi kavi  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 kavi kavi 3771 Apr  4  2018 .bashrc
drwx------ 2 kavi kavi 4096 Feb 19  2022 .cache/
drwxrwxr-x 3 kavi kavi 4096 Feb 26  2022 .composer/
drwx------ 3 kavi kavi 4096 Feb 19  2022 .gnupg/
drwxrwxr-x 3 kavi kavi 4096 Feb 19  2022 .local/
drwxrwxr-x 2 kavi kavi 4096 jun 20 10:02 .npm/
-rw------- 1 kavi kavi   32 jun 20 10:10 .npmrc
-rw-r--r-- 1 kavi kavi  807 Apr  4  2018 .profile

the .npmrc file is a configuration file for npm instances of the current user npm basically pull the config settings from the file to set up environment variables

kavi@seventeen:~$ cat .npmrc
registry=http://127.0.0.1:4873

it has the registry variable set to the verdaccio instance at http://127.0.0.1:4873 I should be able to modify the file to point to a registry that I control and host the payload

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks