Image of AttackDefense 2018

As you’ve seen in another challenge in this category, setuid programs can provide great power and flexibility, but if not secured properly, can easily lead to a full system compromise.

Your mission is to get a root shell on the box!

Level difficulty: Easy

Category: Privilege Escalation > Linux

Solution

On this challenge, I got the web interface of a Linux terminal and I was authenticated as an unprivileged user named student.

Image of AttackDefense 2018

Because my task is about “Exploiting Setuid Programs” of course I started searching for getuid and setuid programs.

Image of AttackDefense 2018

And one pops straight to my face as a permission misconfiguration:

Image of AttackDefense 2018

Abusing vim.tiny setuid permission to edit restricted file:

Image of AttackDefense 2018

Image of AttackDefense 2018

Image of AttackDefense 2018

Now that we know the setuid attacks works create a password hash.

student@attackdefense:~$ openssl passwd -1 -salt root pass123
$1$root$quimBCDAqK3JX3mbeqrrD1
student@attackdefense:~$

Proceed with editing the /etc/shadow/ file and replace the root password hash with the newly generated one.

Image of AttackDefense 2018

Image of AttackDefense 2018

Authenticate to the root user account:

Image of AttackDefense 2018

Image of AttackDefense 2018