openssl ep capability
During the initial enumeration of the escape host, /opt/cert/openssl stood out as it had the ep capability assigned to it. This was confirmed by PEAS at a later stage as well.
tom@escape:/opt/cert$ ll
total 724K
4.0K drwxr-xr-x 2 root root 4.0K Dec 9 2020 .
708K -rwxr-x--- 1 tom tom 707K Dec 9 2020 openssl
4.0K drwxr-xr-x 4 root root 4.0K Dec 9 2020 ..
4.0K -rwx------ 1 root root 1.3K Dec 9 2020 certificate.pem
4.0K -rwx------ 1 root root 1.7K Dec 9 2020 key.pemNow that I have made the lateral movement to the tom user, I can further look into this.
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/Pasted-image-20250306193516.png)
Checking an online resource revealed that the ep capability means that binary will run as root
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/Pasted-image-20250306193648.png)
Another resource revealed that ep stands for effective and permitted according to the official documentation
This effectively makes the binary SUID
Moving on to the Privilege Escalation phase