Premise

In this walkthrough, we demonstrated basic enumeration of a Linux system. We performed command execution through a vulnerable ping form and then we did a privilege escalation by exploiting a security mis-configuration in sudo binary.

Machine Name: Unroot

Difficulty: Beginner

Skills Learned

  • Command Injection
  • OWASP
  • Sudo Exploitation

Finding the Way In

My first step was to run an Nmap scan to see what services were running. The initial scan gave me some strange results, but a more targeted stealth scan revealed an SSH server on port 22 and a phpMyAdmin interface on port 80.

I tried some default credentials on the phpMyAdmin login page, but that didn’t work. I didn’t want to get locked out by a firewall, so I decided to look for other ways in. I used a directory-busting tool to find hidden directories and discovered a /dev directory.

Inside the /dev directory, I found a pingtest page that allowed you to ping an IP address. I immediately suspected a command injection vulnerability, and I was right! By adding a semicolon (;) after the IP address, I was able to run other commands, like ls and id. This confirmed that I could execute commands on the server as a user named “joey.

Getting a Shell

Now that I could run commands, I wanted to get a proper reverse shell. I tried a few different payloads, but they didn’t work. I then found a PHP reverse shell payload from Pentest Monkey, which did the trick. I set up a listener on my machine, executed the payload, and got a shell as the “joey” user.

Becoming Root

With a shell on the machine, my next goal was to become the root user. I started by looking for files with the SUID bit set, which allows you to run them with the permissions of the file owner. I found that the sudo binary had the SUID bit set and was owned by root.

I knew about a vulnerability in some versions of sudo where you can use the -u#-1 flag to run a command as root, even if you’re not in the sudoers file. I tried this with the /bin/bash command, and it worked! I was now the root user.

Commands I Used

Here are some of the key commands I used during this process:

  • Scanning for services: nmap -sS <IP>
  • Listing files: ls
  • Checking the current user: id
  • Setting up a Netcat listener: nc -lvp 4545
  • Finding SUID files: find / -perm -u=s -type f 2>/dev/null
  • Checking file permissions: ls -la
  • Escalating privileges with sudo: sudo -u#-1 /bin/bash

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles