I learned about SUID with this box. The user access I found easy, I think I got user in under 10 minutes – that’s a first for me. The PE part took me sometime, which a few nudges!
Searching for sticky bits
Understanding a bit more about standard linux binaries
Adding echo command to a file to see if it executes it.
nmap -sC -sV -oA all -vv -p- 10.10.10.117
I see that there is an IRC server and take took a look for a metasploit module.
After upgrading the shell I browsed to the home directory to see what users there were. I seen there was ircd – which I was logged in as and djmardov. Traversing into the djmardov user there were a few files – laid out in the Windows style
Desktop Documents Downloads Music Pictures Public Templates Videos
I ran ls -laR to search for files within all the directories in djmardov and found the user.txt file as well as another hidden file called .backup.
I tried to view user.txt but couldnt – I’m not the user djmardov.
ircd@irked:/home/djmardov/Documents$ cat user.txt
cat: user.txt: Permission denied
I checked to see what was in the contents of .backup.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
Humm so I have a steg password for something – probably an image.
Back to review the nmap scan and see there is a http server.
It reveals an image – I guessed that this is the image that the steg password is for.
I downloaded the image to kali
For some reason steghide is not installed by default in Kali so I did an apt-get install steghide to install it. Following the help page of it I extracted the data from the file as shown below.
I ssh’d in as dj
djmardov@irked:~$ cat Documents/user.txt
The PE part took me a lot of time and I needed a few nudges. I’ll go through some my thoughts, some commands I used and what I was looking for.
djmardov@irked:/tmp$ sudo -l
-bash: sudo: command not found
Test to see what sudo command djmardov can run. He has not been given access to sudo. Sometimes you get lucky with this PE route.
What I initially noticed was the date of /usr/bin/viewuser- it was 2018 meaning recently modified. I copied and pasted the other commands in to see what would happen. I also ran the command on my Kali machine
You could get that binary to execute a reverse shell with root access.
I learned some important stuff with this box. Check for sticky bits and look for binaries which are not standard in that version of linux. Also if your not sure what file is doing, add and echo command to see if it executes it.