-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #110 from julianhal/prime-root
Add fessemisk prime time root
- Loading branch information
Showing
1 changed file
with
29 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Prime Time (Root) | ||
|
||
## Description | ||
Can you escalate your privileges to root? | ||
|
||
Use the same instance as for Prime Time (user). | ||
|
||
## Solution | ||
|
||
Starting from the reverse shell gained in the user challenge, we aim to escalate privileges to root. Running [linpeas](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) reveals that our user can execute all scripts in `/opt/CSCOlumos/rcmds/` as root without a password: | ||
|
||
|
||
|
||
From the reverse shell we gained in the user challenge, we have to now try and escalate our privileges to root. I quickly run [linpeas](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) on the box and scroll through the output. | ||
|
||
From linpeas, we see that that our user can run all script in the `/opt/CSCOlumos/rcmds/` directory as root without a password. | ||
|
||
```bash | ||
User prime may run the following commands: | ||
(ALL) SETENV: NOPASSWD: /opt/CSCOlumos/rcmds/ | ||
``` | ||
This directory contains many scripts, offering multiple potential paths to root. Writing secure Bash code can be challenging, and common pitfalls make it easy to overlook vulnerabilities. For more on these issues, check out [Bash Pitfalls](https://mywiki.wooledge.org/BashPitfalls). | ||
|
||
Among the many scripts in this directory, some have a race condition vulnerability. These scripts copy a temporary file to `/tmp` and then execute it. By continually overwriting this file with a simple bash command, we can get a root shell: | ||
```bash | ||
while true; do echo -e '#!/bin/sh\n/bin/bash' > /tmp/rmanExec.sh; done | ||
``` | ||
|
||
The flag is in `/root/root.txt`. |