Post

AttackDefense.com [PE] - Exploiting Setuid Programs II

Posted
By Lucian Nitescu 1 min read

Image of AttackDefense 2018

As you’ve seen in another challenge in this category, setuid programs can provide great power and flexibility, but if not secured properly, can easily lead to a full system compromise.

Your mission is to get a root shell on the box!

Level difficulty: Easy

Category: Privilege Escalation > Linux

Solution

On this challenge, I got the web interface of a Linux terminal and I was authenticated as an unprivileged user named student.

Image of AttackDefense 2018

Because my task is about “Exploiting Setuid Programs” of course I started searching for getuid and setuid programs.

Image of AttackDefense 2018

And one pops straight to my face as a permission misconfiguration:

Image of AttackDefense 2018

Abusing vim.tiny setuid permission to edit restricted file:

Image of AttackDefense 2018

Image of AttackDefense 2018

Image of AttackDefense 2018

Now that we know the setuid attacks works create a password hash.

1
2
3

student@attackdefense:~$ openssl passwd -1 -salt root pass123
$1$root$quimBCDAqK3JX3mbeqrrD1
student@attackdefense:~$

Proceed with editing the /etc/shadow/ file and replace the root password hash with the newly generated one.

Image of AttackDefense 2018

Image of AttackDefense 2018

Authenticate to the root user account:

Image of AttackDefense 2018

Image of AttackDefense 2018

AttackDefense.com, ctf, writeups, PrivilegeEscalation
writeups CTF challange AttackDefense.com
This post is licensed under CC BY 4.0 by the author.