InfoSec LAB

DC-9_sudo_privileges_fredf

Created: 2 min read

fredf

Checking for sudo privileges of the fredf user after making the lateral movement.

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

The fredf user is able to execute the /opt/devstuff/dist/test/test command without getting prompted for password as the root account.

/opt/devstuff/dist/test/test

fredf@dc-9:~$ file /opt/devstuff/dist/test/test
/opt/devstuff/dist/test/test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014, stripped
 
fredf@dc-9:~$ ll /opt/devstuff/dist/test/test
1.2M -rwxr-xr-x 1 root root 1.2M Dec 29  2019 /opt/devstuff/dist/test/test

The /opt/devstuff/dist/test/test file is a x64 bit ELF binary executable.

fredf@dc-9:~$ /opt/devstuff/dist/test/test
Usage: python test.py read append

Executing the binary shows the usage.

fredf@dc-9:~$ ll /opt/devstuff/
total 28K
4.0K drwxr-xr-x 4 root root 4.0K Dec 29  2019 ..
4.0K drwxr-xr-x 3 root root 4.0K Dec 29  2019 dist
4.0K drwxr-xr-x 5 root root 4.0K Dec 29  2019 .
4.0K drwxr-xr-x 2 root root 4.0K Dec 29  2019 __pycache__
4.0K -rw-r--r-- 1 root root  959 Dec 29  2019 test.spec
4.0K drwxr-xr-x 3 root root 4.0K Dec 29  2019 build
4.0K -rw-r--r-- 1 root root  250 Dec 29  2019 test.py
 
fredf@dc-9:~$ cat /opt/devstuff/test.py 
#!/usr/bin/python
 
import sys
 
if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)
 
else :
    f = open(sys.argv[1], "r")
    output = (f.read())
 
    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

Tracing back the parents directories reveals what appears to be a Python project. The /opt/devstuff/dist/test/test file seems to be the binary version of the Python script; /opt/devstuff/test.py The python script:

  • Reads the first argument
  • Writes the content of the first argument to the second argument.

Moving on to the Privilege Escalation phase.

Interactive Graph View

Backlinks