Vulnhub Escalate_Linux: 1 Walkthrough

by Vince
in Blog
Hits: 5000

There are a few new releases on Vulnhub and the one I'm writing about today claims there are 12 avenues for privilege escalation.  Honestly, I'm not interested in finding 12 different privilege escalations.  I have the patience and the time for one.  I figured with that many avenues, this would be over quickly.  I appreciate the effort but I'm one and done on this box.

If you're on the hunt for all 12, I've got a few hints in the screenshots.  I would also look at cron because I seem to recall seeing something there as well when I was hunting around post root.  

Anyway, kicking off with Nmap:





Quite a lot of output so I broke it up into two:





While I was running fuzzing tools on port 80, I started poking around at SMB.  I found this:





Couldn't access it with the Guest account and then I moved on and never came back.  Could be something there.

Our Gobuster output uncovers:





shell.php -- looks interesting:





I have an idea as to what to do here:





Cool.  We can execute commands.  Except I tried to run something with a little more length to it and it didn't like it so I started to URL encode with Burp and that seemed to do the trick:





Prior to going for the shell, I just want to run wget to see if I can make outbound connections. 

Feeding our URL encoded command into Repeater:





With a handler setup:





Excellent!  We catch the inbound connection. 


Let's see if Python is installed:





Feeding our data into Repeater:





Checking the output window:





Excellent!  

Now for a Python reverse shell:





Feeding it into Repeater:





With our handler setup:





When I clean up the shell, I'm getting double characters which is annoying.  We can clean that up with:

stty raw -echo

Checking out /etc/passwd

Bunch of users which I'm sure is one big giant troll to get 12 privilege escalations.  





But with all of those users, I wonder if we can gather some information from .bash_history files:





I clipped off a bunch of the lines but if you're interested in more roots, you'll want to parse through it.  There are some juicy bits in there.

Based on the above output, I wondered if there were some incorrect permissions set:





We find a couple of scripts that run with root privileges.  

If you attempt to run /home/user3/shell from outside of the user's directory, it won't work because it calls the .script.sh file which also resides in that directory. 

But if you're in the directory:



... it's able to call the .script.sh file which then runs bash as root and therefore makes you root.  #GameOver

You could abuse this shell command by creating your own .script.sh file in /tmp and then run /home/user3/shell

For example:

cd /tmp
echo "cat /etc/shadow" >> ./.script.sh
/home/user3/shell

It should produce the contents of the shadow file.  You could also modify or overwrite the shadow file.  

Anyway, my time is up.  Hope this helps.