Premise

In this walk-through, we went over a Linux box that is outdated. We navigated through the FTP server and executed our own commands. Then we escalated our privileges through Overlayfs exploit.

Machine Name: Outdated

Difficulty: Easy

Skills Learned

  • Linux privilege escalation
  • FTP
  • Overlayfs Exploit

Finding a Way In

I started by scanning the machine to see what services were running. I found an FTP server, an SSH server, and an NFS file share. I decided to start with the FTP server, which was running ProFTPD version 1.3.5.

I used a tool called searchsploit to look for exploits for this version of ProFTPD and found a couple of interesting ones. However, I wanted to try to exploit the machine manually to get a better understanding of how the vulnerability worked.

I noticed that the FTP server had a couple of interesting commands: site cpfr (copy from) and site cpto (copy to). These commands allow you to copy files from one location to another on the server. I realized that I could use these commands to copy sensitive files, like the /etc/passwd file and SSH keys, to the NFS share, which I could then access from my own machine.

Getting a Shell

I mounted the NFS share on my machine and then used the nc command to connect to the FTP server. I then used the site cpfr and site cpto commands to copy the /etc/passwd file and the SSH key for a user named “daniel” to the NFS share.

Once I had the SSH key, I was able to log in to the machine as “daniel” using the ssh command. I now had a shell on the machine!

Becoming Root

Now that I had a shell, my next goal was to become the root user. I used the uname -a command to check the kernel version and found that it was vulnerable to an “overlayfs” exploit.

I downloaded the exploit to my machine and then used the scp command to transfer it to the target machine. I then made the exploit executable using the chmod +x command and ran it. The exploit worked, and I was now the root user! 🥳

Commands I Used

Here are some of the key commands I used during this process:

  • Searching for exploits: searchsploit proftpd 1.3.5
  • Mounting the NFS share: sudo mount -t nfs 172.31.1.18:/var/nfs/backups /mnt/shares
  • Connecting to the FTP server: nc 172.31.1.18 21
  • Copying files on the FTP server: site cpfr /etc/passwd and site cpto /var/nfs/backups/passwd
  • Logging in with SSH: ssh -i id_rsa daniel@172.31.1.18
  • Checking the kernel version: uname -a
  • Transferring files with SCP: scp exploit.c daniel@172.31.1.18:/tmp/exploit.c
  • Making a file executable: chmod +x exploit

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles