Premise
In this walkthrough, we demonstrated basic enumeration of a Linux system. We performed command execution through a vulnerable ping form and then we did a privilege escalation by exploiting a security mis-configuration in sudo binary.
Machine Name: Unroot
Difficulty: Beginner
Skills Learned
- Command Injection
- OWASP
- Sudo Exploitation
Finding the Way In
My first step was to run an Nmap scan to see what services were running. The initial scan gave me some strange results, but a more targeted stealth scan revealed an SSH server on port 22 and a phpMyAdmin interface on port 80.
I tried some default credentials on the phpMyAdmin login page, but that didn’t work. I didn’t want to get locked out by a firewall, so I decided to look for other ways in. I used a directory-busting tool to find hidden directories and discovered a /dev
directory.
Inside the /dev
directory, I found a pingtest
page that allowed you to ping an IP address. I immediately suspected a command injection vulnerability, and I was right! By adding a semicolon (;
) after the IP address, I was able to run other commands, like ls
and id
. This confirmed that I could execute commands on the server as a user named “joey.
Getting a Shell
Now that I could run commands, I wanted to get a proper reverse shell. I tried a few different payloads, but they didn’t work. I then found a PHP reverse shell payload from Pentest Monkey, which did the trick. I set up a listener on my machine, executed the payload, and got a shell as the “joey” user.
Becoming Root
With a shell on the machine, my next goal was to become the root user. I started by looking for files with the SUID bit set, which allows you to run them with the permissions of the file owner. I found that the sudo
binary had the SUID bit set and was owned by root.
I knew about a vulnerability in some versions of sudo
where you can use the -u#-1
flag to run a command as root, even if you’re not in the sudoers
file. I tried this with the /bin/bash
command, and it worked! I was now the root user.
Commands I Used
Here are some of the key commands I used during this process:
- Scanning for services:
nmap -sS <IP>
- Listing files:
ls
- Checking the current user:
id
- Setting up a Netcat listener:
nc -lvp 4545
- Finding SUID files:
find / -perm -u=s -type f 2>/dev/null
- Checking file permissions:
ls -la
- Escalating privileges with sudo:
sudo -u#-1 /bin/bash